VulnerableCode Package Details - pkg:composer/typo3/cms-backend@11.5.40

Search for packages

Vulnerability	Summary	Fixed by
VCID-uvfp-uq3t-6ffg Aliases: CVE-2025-59020 GHSA-5j7q-wmh7-cqhg	TYPO3 CMS Allows Broken Access Control in Edit Document Controller ### Problem By exploiting the `defVals` parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Daniel Windloff for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it. ### References * [TYPO3-CORE-SA-2026-001](https://typo3.org/security/advisory/typo3-core-sa-2026-001)	11.5.49 Affected by 0 other vulnerabilities. 12.4.41 Affected by 0 other vulnerabilities. 13.4.23 Affected by 0 other vulnerabilities. 14.0.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-uvfp-uq3t-6ffg
Aliases:
CVE-2025-59020
GHSA-5j7q-wmh7-cqhg

TYPO3 CMS Allows Broken Access Control in Edit Document Controller ### Problem By exploiting the `defVals` parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Daniel Windloff for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it. ### References * [TYPO3-CORE-SA-2026-001](https://typo3.org/security/advisory/typo3-core-sa-2026-001)

11.5.49
Affected by 0 other vulnerabilities.

12.4.41
Affected by 0 other vulnerabilities.

13.4.23
Affected by 0 other vulnerabilities.

14.0.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-716n-jhj7-ebhh	Information Disclosure in TYPO3 Page Tree ### Problem Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Peter Schuler who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.	CVE-2024-47780 GHSA-rf5m-h8q9-9w6q
VCID-ymvw-ev1y-8fa3	Denial of Service in TYPO3 Bookmark Toolbar ### Problem Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Hendrik Eichner who reported this issue and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-011](https://typo3.org/security/advisory/typo3-core-sa-2024-001)	CVE-2024-34537 GHSA-ffcv-v6pw-qhrp

Vulnerability

Summary

Aliases

VCID-716n-jhj7-ebhh

Information Disclosure in TYPO3 Page Tree ### Problem Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Peter Schuler who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

CVE-2024-47780
GHSA-rf5m-h8q9-9w6q

VCID-ymvw-ev1y-8fa3

Denial of Service in TYPO3 Bookmark Toolbar ### Problem Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account. ### Solution Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. ### Credits Thanks to Hendrik Eichner who reported this issue and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-011](https://typo3.org/security/advisory/typo3-core-sa-2024-001)

CVE-2024-34537
GHSA-ffcv-v6pw-qhrp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:08:21.651839+00:00	GitLab Importer	Affected by	VCID-uvfp-uq3t-6ffg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2025-59020.yml	38.4.0
2026-04-12T01:31:53.499725+00:00	GitLab Importer	Affected by	VCID-uvfp-uq3t-6ffg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2025-59020.yml	38.3.0
2026-04-03T01:40:50.775392+00:00	GitLab Importer	Affected by	VCID-uvfp-uq3t-6ffg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2025-59020.yml	38.1.0
2026-04-02T12:40:10.261364+00:00	GitLab Importer	Fixing	VCID-ymvw-ev1y-8fa3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2024-34537.yml	38.0.0
2026-04-02T12:40:10.057508+00:00	GitLab Importer	Fixing	VCID-716n-jhj7-ebhh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2024-47780.yml	38.0.0
2026-04-01T16:06:34.831616+00:00	GHSA Importer	Fixing	VCID-ymvw-ev1y-8fa3	https://github.com/advisories/GHSA-ffcv-v6pw-qhrp	38.0.0
2026-04-01T16:06:33.065949+00:00	GHSA Importer	Fixing	VCID-716n-jhj7-ebhh	https://github.com/advisories/GHSA-rf5m-h8q9-9w6q	38.0.0
2026-04-01T12:49:21.706793+00:00	GithubOSV Importer	Fixing	VCID-ymvw-ev1y-8fa3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-ffcv-v6pw-qhrp/GHSA-ffcv-v6pw-qhrp.json	38.0.0
2026-04-01T12:49:08.834717+00:00	GithubOSV Importer	Fixing	VCID-716n-jhj7-ebhh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-rf5m-h8q9-9w6q/GHSA-rf5m-h8q9-9w6q.json	38.0.0