CVE-2025-47938 — Unverified Password Change in Typo3

CWE-620 — Unverified Password Change CWE-125 — Out-of-bounds Read5 documents5 sources

Severity

3.8LOWNVD

EPSS

0.2%

top 63.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 Cms-core Typo3 Cms-setup

Timeline

PublishedMay 20

Description

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unaut…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

▶NVDtypo3/typo39.0.0 — 9.5.51+4

▶Packagisttypo3/cms-core9.0.0 — 9.5.51+4

▶Packagisttypo3/cms-setup9.0.0 — 9.5.51+4

▶CVEListV5typo3/typo35 versions+4

🔴Vulnerability Details

OSV

TYPO3 Unverified Password Change for Backend Users↗2025-05-20

▶

GHSA

TYPO3 Unverified Password Change for Backend Users↗2025-05-20

▶

CVEList

TYPO3 Vulnerable to Unverified Password Change for Backend Users↗2025-05-20

▶

📋Vendor Advisories

Microsoft

An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT.↗2022-12-13

▶