CVE-2025-59019
published 2025-09-09CVE-2025-59019: Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to…
PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.21%
11.7th percentile
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-backend | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | cms-backend | >= 13.0.0 < 13.4.18 | 13.4.18 |
| typo3 | cms-recordlist | >= 11.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3 | >= 11.0.0 < 11.5.48 | 11.5.48 |
| typo3 | typo3 | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3 | >= 13.0.0 < 13.4.18 | 13.4.18 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.48 | 11.5.48 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.18 | 13.4.18 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TYPO3 CSV download feature information disclosure
ghsa·2025-09-09
CVE-2025-59019 [MEDIUM] CWE-200 TYPO3 CSV download feature information disclosure
TYPO3 CSV download feature information disclosure
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.
OSV
TYPO3 CSV download feature information disclosure
osv·2025-09-09
CVE-2025-59019 [MEDIUM] TYPO3 CSV download feature information disclosure
TYPO3 CSV download feature information disclosure
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-09
Published