Search for vulnerabilities
Vulnerability ID | VCID-8j4w-uu8f-cugg |
Aliases |
CVE-2025-47937
GHSA-x8pv-fgxp-8v3x |
Summary | TYPO3 Allows Information Disclosure via DBAL Restriction Handling ### Problem When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. ### Solution Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. ### Credits Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it. |
Status | Published |
Exploitability | 0.5 |
Weighted Severity | 3.3 |
Risk | 1.6 |
Affected and Fixed Packages | Package Details |
System | Score | Found at |
---|---|---|
epss | 0.00041 | https://api.first.org/data/v1/epss?cve=CVE-2025-47937 |
cvssv3.1 | 3.7 | https://github.com/TYPO3-CMS/core |
generic_textual | LOW | https://github.com/TYPO3-CMS/core |
cvssv3.1 | 3.7 | https://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x |
generic_textual | LOW | https://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x |
ssvc | Track | https://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x |
cvssv3.1 | 3.7 | https://nvd.nist.gov/vuln/detail/CVE-2025-47937 |
generic_textual | LOW | https://nvd.nist.gov/vuln/detail/CVE-2025-47937 |
cvssv3.1 | 3.7 | https://typo3.org/security/advisory/typo3-core-sa-2025-011 |
generic_textual | LOW | https://typo3.org/security/advisory/typo3-core-sa-2025-011 |
ssvc | Track | https://typo3.org/security/advisory/typo3-core-sa-2025-011 |
Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
Percentile | 0.11947 |
EPSS Score | 0.00041 |
Published At | June 30, 2025, 12:55 p.m. |
Date | Actor | Action | Source | VulnerableCode Version |
---|---|---|---|---|
2025-07-01T12:13:12.181648+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-x8pv-fgxp-8v3x/GHSA-x8pv-fgxp-8v3x.json | 36.1.3 |