CVE-2025-47938

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-47938
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47938.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-47938
Aliases
Published
2025-05-20T13:49:39.070Z
Modified
2026-04-10T05:27:51.853386Z
Severity
  • 3.8 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
TYPO3 Vulnerable to Unverified Password Change for Backend Users
Details

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-620"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47938.json"
}
References

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
36096733dea4bd6f6168209609fa879dc25c0138
Fixed
1f80000d7c594d2333efd2bef2f842338a0115a6
Database specific 
{
    "versions": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.4.31"
        }
    ]
}
Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
fd8745e46bb11773e85524b8ee9650dabe340713
Fixed
812e327a74813bdb07d19cde3076d3d41b8ca4cf
Database specific 
{
    "versions": [
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.4.12"
        }
    ]
}

Affected versions

v12.*
v12.0.0
v12.1.0
v12.2.0
v12.3.0
v12.4.0
v12.4.1
v12.4.10
v12.4.11
v12.4.12
v12.4.13
v12.4.14
v12.4.15
v12.4.16
v12.4.17
v12.4.18
v12.4.19
v12.4.2
v12.4.20
v12.4.21
v12.4.22
v12.4.23
v12.4.24
v12.4.25
v12.4.26
v12.4.27
v12.4.28
v12.4.29
v12.4.3
v12.4.30
v12.4.4
v12.4.5
v12.4.6
v12.4.7
v12.4.8
v12.4.9
v13.*
v13.0.0
v13.1.0
v13.2.0
v13.2.1
v13.3.0
v13.4.0
v13.4.1
v13.4.10
v13.4.11
v13.4.2
v13.4.3
v13.4.4
v13.4.5
v13.4.6
v13.4.7
v13.4.8
v13.4.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47938.json"

Git / github.com/typo3/typo3.cms

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3.cms
Events
Introduced
36096733dea4bd6f6168209609fa879dc25c0138
Fixed
1f80000d7c594d2333efd2bef2f842338a0115a6
Introduced
fd8745e46bb11773e85524b8ee9650dabe340713
Fixed
812e327a74813bdb07d19cde3076d3d41b8ca4cf
Database specific 
{
    "versions": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.4.31"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.4.12"
        }
    ]
}

Affected versions

v12.*
v12.0.0
v12.1.0
v12.2.0
v12.3.0
v12.4.0
v12.4.1
v12.4.10
v12.4.11
v12.4.12
v12.4.13
v12.4.14
v12.4.15
v12.4.16
v12.4.17
v12.4.18
v12.4.19
v12.4.2
v12.4.20
v12.4.21
v12.4.22
v12.4.23
v12.4.24
v12.4.25
v12.4.26
v12.4.27
v12.4.28
v12.4.29
v12.4.3
v12.4.30
v12.4.4
v12.4.5
v12.4.6
v12.4.7
v12.4.8
v12.4.9
v13.*
v13.0.0
v13.1.0
v13.2.0
v13.2.1
v13.3.0
v13.4.0
v13.4.1
v13.4.10
v13.4.11
v13.4.2
v13.4.3
v13.4.4
v13.4.5
v13.4.6
v13.4.7
v13.4.8
v13.4.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47938.json"