CVE-2025-59017 — Missing Authorization in CMS

CWE-862 — Missing Authorization4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 77.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3 Typo3 Cms-backend +4 more

Timeline

PublishedSep 9

Description

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages7 packages

▶Packagisttypo3/cms-backend9.0.0 — 12.4.37+4

▶NVDtypo3/typo39.0.0 — 9.5.55+4

▶CVEListV5typo3/typo3_cms9.0.0 — 9.5.55+4

▶Packagisttypo3/cms-beuser13.0.0 — 13.4.18+4

▶Packagisttypo3/cms-recycler9.0.0 — 12.4.37+4

🔴Vulnerability Details

GHSA

TYPO3 backend modules have Broken Access Control↗2025-09-09

▶

OSV

TYPO3 backend modules have Broken Access Control↗2025-09-09

▶

CVEList

Broken Access Control in Backend AJAX Routes↗2025-09-09

▶