Primary

Context

TYPO3 DBAL Frontend User Permission Bypass Vulnerability Allowing Unauthorized Data Access

Vulnerability

Patched

A vulnerability in TYPO3's database abstraction layer (DBAL) could lead to unauthorized information disclosure. This issue affects TYPO3 versions 9.0.0 prior to 9.5.51 ELTS, 10.0.0 prior to 10.4.49 ELTS, 11.0.0 prior to 11.5.43 ELTS, 12.0.0 prior to 12.4.30 LTS, and 13.0.0 prior to 13.4.11 LTS. The vulnerability arises because frontend user permissions, managed through 'FrontendGroupRestriction', are only applied to the last table in a multi-table database query. Consequently, data from earlier tables may be inadvertently exposed to unauthorized users.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data from multiple tables in the database, potentially leading to information disclosure.

Remediation

Users are advised to update TYPO3 to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS.

Added: Jun 5, 2025, 11:34 PM

Updated: Jun 6, 2025, 12:09 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TYPO3 DBAL Frontend User Permission Bypass Vulnerability Allowing Unauthorized Data Access

Vulnerability

Impact

Remediation

Affected Products

TYPO3

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating