Moderate severityNVD Advisory· Published Sep 9, 2025· Updated Sep 11, 2025

Information Disclosure via CSV Download

CVE-2025-59019

Description

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization checks in TYPO3 CMS CSV download allow backend users to disclose arbitrary database table records within their web mounts.

Vulnerability

Description

The CSV download feature in TYPO3 CMS backend (List Module, ext:backend, ext:recordlist) lacked proper authorization checks. When a backend user initiated a CSV download, the system did not verify whether the user had permission to select data from the requested database table. This missing check allowed users to request and retrieve records from arbitrary tables, as long as those records fell within the page tree the user was already permitted to access [1][2].

Exploitation

An authenticated backend user with access to any page in the web mount could exploit this by crafting a CSV download request targeting a database table they were not authorized to view. The vulnerability existed in TYPO3 CMS versions 11.0.0 through 11.5.47, 12.0.0 through 12.4.36, and 13.0.0 through 13.4.17 [2]. The attack requires no special privileges beyond a standard backend user account and can be performed over the network [2].

Impact

Successful exploitation leads to information disclosure. An attacker could extract sensitive data from database tables that the user should not have access to, such as user credentials, configuration details, or other protected content. The vulnerability is classified as Medium severity with a CVSS v4.0 vector of AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [2].

Mitigation

The issue has been fixed in TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, and 13.4.18 LTS. The fix adds a permission check using $backendUser->check('tables_select', $this->table) before processing the download request, ensuring that only users with explicit select rights on the target table can proceed [3]. Administrators are advised to update to the patched versions immediately.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-backendPackagist	>= 12.0.0, < 12.4.37	12.4.37
typo3/cms-backendPackagist	>= 13.0.0, < 13.4.18	13.4.18
typo3/cms-recordlistPackagist	>= 11.0.0, < 12.4.37	12.4.37

Affected products

TYPO3/Typo3llm-fuzzy
Range: >=11.0.0 <=11.5.47, >=12.0.0 <=12.4.36, >=13.0.0 <=13.4.17
TYPO3/TYPO3 CMSv5
Range: 11.0.0

Patches

c983415f062c

[SECURITY] Prevent Information Disclosure in record list downloader

https://github.com/TYPO3-CMS/backendBenjamin FranzkeSep 9, 2025via ghsa

commit

1 file changed · +6 −1

Classes/Controller/RecordListDownloadController.php+6 −1 modified

@@ -105,6 +105,12 @@ public function handleDownloadRequest(ServerRequestInterface $request): Response
         if ($this->table === '') {
             throw new \RuntimeException('No table was given for downloading records', 1623941276);
         }
+
+        $backendUser = $this->getBackendUserAuthentication();
+        if (!$backendUser->check('tables_select', $this->table)) {
+            throw new AccessDeniedException('Insufficient permissions for accessing this download', 1756895674);
+        }
+
         // @todo we might want to throw an exception in case no schema exists for the table
         $schema = $this->tcaSchemaFactory->has($this->table) ? $this->tcaSchemaFactory->get($this->table) : null;
         $this->format = (string)($parsedBody['format'] ?? '');
@@ -123,7 +129,6 @@ public function handleDownloadRequest(ServerRequestInterface $request): Response
         $tsConfig = is_array($tsConfig) ? $tsConfig : null;
 
         // Loading current page record and checking access
-        $backendUser = $this->getBackendUserAuthentication();
         $perms_clause = $backendUser->getPagePermsClause(Permission::PAGE_SHOW);
         $pageinfo = BackendUtility::readPageAccess($this->id, $perms_clause);
         $searchString = (string)($parsedBody['searchString'] ?? '');

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j8vm-7q52-2m2mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-59019ghsaADVISORY
typo3.org/security/advisory/typo3-core-sa-2025-023ghsavendor-advisoryWEB
github.com/TYPO3-CMS/backend/commit/c983415f062c32f8edbb78544a0ff3219bc35d17ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000