SB2025091035 - Multiple vulnerabilities in TYPO3
Published: September 10, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2025-59019)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application within the CSV download feature in the backend user interface. A remote user can gain unauthorized access to sensitive information on the system.
2) Insufficient Entropy (CVE-ID: CVE-2025-59015)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient entropy issue in password generation. A remote attacker can gain access to sensitive information on the system.
3) Information Exposure Through an Error Message (CVE-ID: CVE-2025-59016)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to information exposure through an error message in the File Abstraction Layer. A remote user can gain unauthorized access to sensitive information on the system.
4) Missing Authorization (CVE-ID: CVE-2025-59017)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to missing authorization in Backend AJAX routes. A remote user can bypass module‑level restrictions.
5) Information disclosure (CVE-ID: CVE-2025-59018)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Workspaces Module. A remote user can gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.