CVE-2025-47937

LOW3.7EPSS 0.20%

TYPO3 Allows Information Disclosure via DBAL Restriction Handling

Published: 5/20/2025Modified: 5/20/2025

Description

### Problem When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. ### Solution Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. ### Credits Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

Affected packages (1)

Packagist/typo3/cms-core>= 9.0.0, < 9.5.51

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-47937
PATCHhttps://github.com/TYPO3-CMS/core
WEBhttps://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x
WEBhttps://typo3.org/security/advisory/typo3-core-sa-2025-011