Multiple vulnerabilities in TYPO3
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Unverified Ownership
EUVDB-ID: #VU109604
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-47940
CWE-ID:
CWE-283 - Unverified Ownership
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to the unverified ownership issue. A remote administrator can gain elevated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 10.4.0 - 13.4.11
CPE2.3- cpe:2.3:a:typo3:typo3:10.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:10.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:10.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:10.4.9:*:*:*:*:*:*:*
https://github.com/TYPO3/typo3/security/advisories/GHSA-6frx-j292-c844
https://typo3.org/security/advisory/typo3-core-sa-2025-016
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Unverified Password Change
EUVDB-ID: #VU109608
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-47938
CWE-ID:
CWE-620 - Unverified Password Change
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to backend user management interface allows password changes without requiring the current password. A remote administrator can change password without additional authentication.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 9.0.0 - 13.4.11
CPE2.3- cpe:2.3:a:typo3:typo3:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:9.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:9.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:9.5.0:*:*:*:*:*:*:*
https://github.com/TYPO3/typo3/security/advisories/GHSA-3jrg-97f3-rqh9
https://typo3.org/security/advisory/typo3-core-sa-2025-013
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insufficient Type Distinction
EUVDB-ID: #VU109606
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-47939
CWE-ID:
CWE-351 - Insufficient Type Distinction
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient type distinction. A remote user can upload arbitrary file on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 9.0.0 - 13.4.11
CPE2.3- cpe:2.3:a:typo3:typo3:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:9.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:9.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:9.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:9.5.11:*:*:*:*:*:*:*
https://github.com/TYPO3/typo3/security/advisories/GHSA-9hq9-cr36-4wpj
https://typo3.org/security/advisory/typo3-core-sa-2025-014
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
