CVE-2025-59020

Medium CVSS: 5.3

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Vendor

Typo3

Product

Typo3

CWE

CWE-863

Yayın Tarihi

2026-01-13 12:15:49

Güncelleme

2026-01-14 19:15:16

Source Identifier

f4fb688c-4412-4426-b4b8-421ecf27b14a

KEV Date Added

Kategoriler

CWE-863 Typo3 MEDIUM Typo3 2026

Referanslar

https://github.com/TYPO3/typo3/commit/ac3f792bd5ab7c58153fc1075cb9e001c9cebe3b https://github.com/TYPO3/typo3/commit/cd11a19958d823d12d028f9345b41739c7e70118 https://github.com/TYPO3/typo3/commit/fb98378a8fd30dd50d89a3d1a420780819f38232 https://typo3.org/security/advisory/typo3-core-sa-2026-001

Benzer Kayıtlar

Medium

CVE-2025-59021

Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, crea…

High

CVE-2025-59022

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the T…

Medium

CVE-2026-0859

TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious…

Medium

CVE-2025-59019

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.…

Medium

CVE-2025-59015

A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.…

Medium

CVE-2025-59016

Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0…