Primary

Context

TYPO3 CMS Backend AJAX Routes Broken Access Control Vulnerability

Vulnerability

Patched

A broken access control vulnerability has been identified in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17. The issue arises from missing authorization checks in the backend routing, allowing backend users to directly invoke AJAX routes without proper access to the corresponding backend modules. This vulnerability enables users to read, modify, or delete data by bypassing module-level restrictions.

Impact

Exploitation of this vulnerability allows authenticated backend users to access AJAX routes of backend modules without the necessary permissions, potentially leading to unauthorized data manipulation or access.

Remediation

Users are advised to update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, or 13.4.18 LTS, all of which address this vulnerability. After updating, it is recommended to verify authorization checks in the relevant AJAX handlers or controllers.

Added: Sep 9, 2025, 9:19 AM

Updated: Sep 9, 2025, 4:59 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

5.4

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

5.4

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TYPO3 CMS Backend AJAX Routes Broken Access Control Vulnerability

Vulnerability

Impact

Remediation

Affected Products

TYPO3 CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating