Description

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

Remediation

References

CVE-2025-59019

Related Vulnerabilities

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-25631)

WordPress Plugin YITH Custom Thank You Page for Woocommerce Security Bypass (1.1.6)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-8808)

WordPress Plugin Stockists Manager for Woocommerce Cross-Site Request Forgery (1.0.2.1)

WordPress Ultimate Member Plugin Other Vulnerability (CVE-2022-3383)

Severity

Medium

Classification

CVE-2025-59019 CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities