CVE-2025-59019 — Sensitive Information Exposure in CMS

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 86.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3 Typo3 Cms-backend +1 more

Timeline

PublishedSep 9

Description

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶Packagisttypo3/cms-backend12.0.0 — 12.4.37+1

▶NVDtypo3/typo311.0.0 — 11.5.48+2

▶CVEListV5typo3/typo3_cms12.0.0 — 12.4.37+2

▶Packagisttypo3/cms-recordlist11.0.0 — 12.4.37

🔴Vulnerability Details

GHSA

TYPO3 CSV download feature information disclosure↗2025-09-09

▶

OSV

TYPO3 CSV download feature information disclosure↗2025-09-09

▶

CVEList

Information Disclosure via CSV Download↗2025-09-09

▶