logo

Database

Improper authorization control for web services In typo3/cms-workspaces

Description

TYPO3 backend modules have Broken Access Control Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-590172. NVD-2025-590173. OSV-2025-590174. GCVE-2025-59017

References

1. https://github.com/TYPO3-CMS/backend/commit/0aedf33d910bceafc2ed0e715743cc0d301245012. https://github.com/TYPO3-CMS/beuser/commit/eb9b0c14a514a7aada8a2aa30e57696e286044c73. https://github.com/TYPO3-CMS/dashboard/commit/582006c6bdf251160001eee6624901baccdcfcd24. https://github.com/TYPO3-CMS/recycler/commit/43475578eb1d9fa3b765537c96bcdf48582ee53b5. https://github.com/TYPO3-CMS/workspaces/commit/32222508043940f9073c338d4205c730a2e020706. https://typo3.org/security/advisory/typo3-core-sa-2025-021

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.