High severity8.6NVD Advisory· Published May 21, 2025· Updated Apr 15, 2026
CVE-2025-48207
CVE-2025-48207
Description
The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
renolit/reint-downloadmanagerPackagist | >= 5.0.0, < 5.0.1 | 5.0.1 |
renolit/reint-downloadmanagerPackagist | < 4.0.2 | 4.0.2 |
Patches
199b07497f584Security fix - please update ASAP
4 files changed · +35 −11
Classes/Controller/ManagerController.php+27 −9 modified@@ -34,12 +34,14 @@ use RENOLIT\ReintDownloadmanager\Domain\Repository\DownloadRepository; use TYPO3\CMS\Core\Context\Context; use TYPO3\CMS\Core\Database\Query\QueryBuilder; +use TYPO3\CMS\Core\Http\HtmlResponse; use TYPO3\CMS\Core\Http\PropagateResponseException; use TYPO3\CMS\Core\Messaging\FlashMessage; use TYPO3\CMS\Core\Messaging\FlashMessageService; use TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException; use TYPO3\CMS\Core\Resource\File; use TYPO3\CMS\Core\Resource\FileCollectionRepository; +use TYPO3\CMS\Core\Resource\FileReference; use TYPO3\CMS\Core\Resource\FileRepository; use TYPO3\CMS\Core\Resource\ResourceFactory; use TYPO3\CMS\Core\Session\UserSessionManager; @@ -493,7 +495,7 @@ protected function loadCollectionsFromFlexform(): bool * @param array $pageIds * @throws */ - protected function getCollectionsFromPages($pageIds): void + protected function getCollectionsFromPages(array $pageIds): void { $table = 'sys_file_collection'; $languageAspect = GeneralUtility::makeInstance(Context::class)->getAspect('language'); @@ -534,7 +536,7 @@ protected function getCollectionsFromPages($pageIds): void * @return string * @throws Exception */ - protected function getSysFileCollectionData($uid, $fieldname = 'description_frontend'): string + protected function getSysFileCollectionData(int $uid, string $fieldname = 'description_frontend'): string { $table = 'sys_file_collection'; /** @var $queryBuilder QueryBuilder */ @@ -569,7 +571,7 @@ protected function setFileNotFound(): void } /** - * sets the flashmessage for not found file + * sets the FlashMessage for not found file */ protected function setFileNoAccess(): void { @@ -596,7 +598,7 @@ protected function writeFlashMessage(string $errorFlashMessage): void } /** - * @param integer $uid + * @param int $uid * @return bool * @throws Exception */ @@ -704,6 +706,22 @@ protected function downloadAction(): ResponseInterface if ($this->request->hasArgument('downloaduid') && $this->request->hasArgument('actionfrom')) { $returnToAction = $this->request->getArgument('actionfrom'); $recordUid = (int)$this->request->getArgument('downloaduid'); + + $this->loadCollectionsFromFlexform(); + $this->loadCollectionsFromDb(); + $files = []; + foreach ($this->collections as $collection) { + /** @var FileReference $fileReference */ + foreach ($collection as $fileReference) { + $fUid = $fileReference->getOriginalFile()->getUid(); + $files[$fUid] = $fUid; + } + } + if (!in_array($recordUid, $files)) { + $this->setFileNotFound(); + return $this->redirect('list'); + } + $publicUri = ''; $fileName = ''; $fileModDate = ''; @@ -726,7 +744,7 @@ protected function downloadAction(): ResponseInterface $privateUri = $this->getPrivateUrlForNonPublic($file); } else { $this->setFileNotFound(); - $this->redirect($returnToAction); + return $this->redirect($returnToAction); } if (!$file->isMissing() && is_file($privateUri) && $this->feUserFileAccess) { /* update counter or set new */ @@ -735,15 +753,15 @@ protected function downloadAction(): ResponseInterface } else { if (!$this->feUserFileAccess) { $this->setFileNoAccess(); - $this->redirect($returnToAction); + return $this->redirect($returnToAction); } else { $this->setFileNotFound(); - $this->redirect($returnToAction); + return $this->redirect($returnToAction); } } } else { $this->setFileNotFound(); - $this->redirect('list'); + return $this->redirect('list'); } } return $this->responseFactory->createResponse(); @@ -761,7 +779,7 @@ protected function downloadAction(): ResponseInterface * @return ResponseInterface * @throws PropagateResponseException */ - protected function downloadFile($privateUri, $fileName, $publicUri, $fileModDate = true): ResponseInterface + protected function downloadFile(string $privateUri, string $fileName, string $publicUri, bool $fileModDate = true): ResponseInterface { /* check if there is a setting to redirect only to the file */ if (isset($this->settings['redirecttofile']) && (int)$this->settings['redirecttofile'] === 1) {
Documentation/ChangeLog/Index.rst+6 −0 modified@@ -11,6 +11,12 @@ ChangeLog ========= +- **19.05.2025** -> 5.0.1 + + - Security fix - please update + +----------------------- + - **16.01.2025** -> 5.0.0 - initial release for TYPO3 13.4
Documentation/Settings.cfg+1 −1 modified@@ -1,6 +1,6 @@ [general] project = Download manager -release = 5.0.0 +release = 5.0.1 version = 5.0 copyright = 2025
ext_emconf.php+1 −1 modified@@ -10,7 +10,7 @@ $EM_CONF[$_EXTKEY] = [ 'title' => 'Download manager', 'description' => 'A simple download manager with different views of file collections as downloadable lists.', - 'version' => '5.0.0', + 'version' => '5.0.1', 'category' => 'plugin', 'constraints' => [ 'depends' => [
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jjwh-4x89-7f5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48207ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/renolit/reint-downloadmanager/CVE-2025-48207.yamlghsaWEB
- github.com/Kephson/reint_downloadmanager/commit/99b07497f5842a59e934583283e1b5a477ce79a9ghsaWEB
- typo3.org/security/advisory/typo3-ext-sa-2025-004nvdWEB
News mentions
0No linked articles in our index yet.