Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/typo3/cms-setup@13.2.1
Typecomposer
Namespacetypo3
Namecms-setup
Version13.2.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version13.4.12
Latest_non_vulnerable_version13.4.12
Affected_by_vulnerabilities
0
url VCID-65ue-7jd9-23gf
vulnerability_id VCID-65ue-7jd9-23gf
summary 
TYPO3 Unverified Password Change for Backend Users
### Problem
The backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification.

This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication.

### Solution
Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

> [!NOTE]
> In these versions, administrators are required to verify their identity through step-up authentication (also known as sudo mode) when changing backend user passwords.

### Credits
Thanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-47938
reference_id
reference_type
scores
0
value 0.00158
scoring_system epss
scoring_elements 0.36559
published_at 2026-04-07T12:55:00Z
1
value 0.00158
scoring_system epss
scoring_elements 0.36545
published_at 2026-04-21T12:55:00Z
2
value 0.00158
scoring_system epss
scoring_elements 0.36606
published_at 2026-04-18T12:55:00Z
3
value 0.00158
scoring_system epss
scoring_elements 0.36623
published_at 2026-04-16T12:55:00Z
4
value 0.00158
scoring_system epss
scoring_elements 0.36689
published_at 2026-04-02T12:55:00Z
5
value 0.00158
scoring_system epss
scoring_elements 0.36636
published_at 2026-04-11T12:55:00Z
6
value 0.00158
scoring_system epss
scoring_elements 0.36629
published_at 2026-04-09T12:55:00Z
7
value 0.00158
scoring_system epss
scoring_elements 0.36721
published_at 2026-04-04T12:55:00Z
8
value 0.00158
scoring_system epss
scoring_elements 0.3661
published_at 2026-04-08T12:55:00Z
9
value 0.00158
scoring_system epss
scoring_elements 0.36577
published_at 2026-04-13T12:55:00Z
10
value 0.00158
scoring_system epss
scoring_elements 0.36602
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-47938
1
reference_url https://github.com/TYPO3-CMS/core/commit/b9a8bcb614ecdd42aa27e1c430c6213d6b6b20b3
reference_id
reference_type
scores
0
value 3.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3-CMS/core/commit/b9a8bcb614ecdd42aa27e1c430c6213d6b6b20b3
2
reference_url https://github.com/TYPO3-CMS/setup/commit/60572dd050d8d861921889a19599bfe045fed5fd
reference_id
reference_type
scores
0
value 3.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3-CMS/setup/commit/60572dd050d8d861921889a19599bfe045fed5fd
3
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-3jrg-97f3-rqh9
reference_id
reference_type
scores
0
value 3.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T13:56:18Z/
url https://github.com/TYPO3/typo3/security/advisories/GHSA-3jrg-97f3-rqh9
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-47938
reference_id
reference_type
scores
0
value 3.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-47938
5
reference_url https://typo3.org/security/advisory/typo3-core-sa-2025-013
reference_id
reference_type
scores
0
value 3.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T13:56:18Z/
url https://typo3.org/security/advisory/typo3-core-sa-2025-013
6
reference_url https://github.com/advisories/GHSA-3jrg-97f3-rqh9
reference_id GHSA-3jrg-97f3-rqh9
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3jrg-97f3-rqh9
fixed_packages
0
url pkg:composer/typo3/cms-setup@13.4.12
purl pkg:composer/typo3/cms-setup@13.4.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-setup@13.4.12
aliases CVE-2025-47938, GHSA-3jrg-97f3-rqh9
risk_score 1.7
exploitability 0.5
weighted_severity 3.4
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-65ue-7jd9-23gf
Fixing_vulnerabilities
Risk_score1.7
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-setup@13.2.1