TYPO3 CMS Unverified Password Change Vulnerability (CVE-2025-47938) Advisory

Key Information Vulnerability ID: TYPO3-CORE-SA-2025-013 Vulnerability Type: Unverified Password Change Affected Component: TYPO3 CMS Subcomponents: DataHandler & Setup Module (ext:core, ext:setup) Release Date: May 20, 2025 Vulnerability Category: Security Misconfiguration Affected Versions: - 9.0.0–9.5.50 - 10.0.0–10.4.49 - 11.0.0–11.5.43 - 12.0.0–12.4.30 - 13.0.0–13.4.11 Severity: Low Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:A/N References: CVE-2025-47938, CWE-620 Description The backend user management interface allows password changes without verifying the current password. When an administrator updates their own account or modifies another user’s account via the admin interface, no current password verification is required. This behavior may reduce protection against unauthorized access, especially if an administrator’s session is hijacked or left unattended, as it permits password changes without additional authentication. Solution Upgrade to the following versions to resolve this issue: 9.5.51 ELTS 10.4.50 ELTS 11.5.44 ELTS 12.4.31 LTS 13.4.12 LTS In these versions, administrators must authenticate via step-by-step authentication (also known as sudo mode) when changing backend user passwords. Acknowledgments Thank you to the Swiss National Cyber Security Centre (NCSC) for reporting this issue, and to TYPO3 core and security team member Benjamin Franzke for fixing it.

Goal Reached Thanks to every supporter — we hit 100%!

TYPO3 CMS Unverified Password Change Vulnerability (CVE-2025-47938) Advisory