CVE-2025-59018
published 2025-09-09CVE-2025-59018: Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.27%
17.9th percentile
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-workspaces | >= 10.0.0 < 12.4.37 | 12.4.37 |
| typo3 | cms-workspaces | >= 11.0.0 < 12.4.37 | 12.4.37 |
| typo3 | cms-workspaces | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | cms-workspaces | >= 13.0.0 < 13.4.18 | 13.4.18 |
| typo3 | cms-workspaces | >= 9.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3 | >= 10.0.0 < 10.4.54 | 10.4.54 |
| typo3 | typo3 | >= 11.0.0 < 11.5.48 | 11.5.48 |
| typo3 | typo3 | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3 | >= 13.0.0 < 13.4.18 | 13.4.18 |
| typo3 | typo3 | >= 9.0.0 < 9.5.55 | 9.5.55 |
| typo3 | typo3_cms | >= 10.0.0 < 10.4.54 | 10.4.54 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.48 | 11.5.48 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.18 | 13.4.18 |
| typo3 | typo3_cms | >= 9.0.0 < 9.5.55 | 9.5.55 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TYPO3 Workspaces Module Information Disclosure
osv·2025-09-09
CVE-2025-59018 [HIGH] TYPO3 Workspaces Module Information Disclosure
TYPO3 Workspaces Module Information Disclosure
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.
GHSA
TYPO3 Workspaces Module Information Disclosure
ghsa·2025-09-09
CVE-2025-59018 [HIGH] CWE-200 TYPO3 Workspaces Module Information Disclosure
TYPO3 Workspaces Module Information Disclosure
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-09
Published