CVE-2025-59019

EPSS 0.07%

TYPO3 CSV download feature information disclosure

Published: 9/9/2025Modified: 9/9/2025

Description

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

Affected packages (2)

Packagist/typo3/cms-backend>= 12.0.0, < 12.4.37
Packagist/typo3/cms-recordlist>= 11.0.0, < 12.4.37

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-59019
WEBhttps://github.com/TYPO3-CMS/backend/commit/c983415f062c32f8edbb78544a0ff3219bc35d17
WEBhttps://typo3.org/security/advisory/typo3-core-sa-2025-023