Skip to main content

PHP CVE-2025-47937

LOW
Incorrect Authorization (CWE-863)
2025-05-20 security-advisories@github.com
PHP Authentication Bypass Typo3
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 18:42 vuln.today
CVE Published
May 20, 2025 - 14:15 nvd
LOW 3.7

DescriptionGitHub Advisory

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via FrontendGroupRestriction to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

AnalysisAI

TYPO3 is an open source, PHP based web content management system. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via FrontendGroupRestriction to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem. Affected products include: Typo3. Version information: version 9.0.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2025-47937 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy