cvelistv5 - cve-2025-47936

CVE-2025-47936 (GCVE-0-2025-47936)

Vulnerability from cvelistv5

Published

2025-05-20 13:23

Modified

2025-05-20 13:59

Severity ?

3.3 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forgery (CSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.

References

►

URL

Tags

	security-advisories@github.com	https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx
	security-advisories@github.com	https://typo3.org/security/advisory/typo3-core-sa-2025-012

Impacted products

	Vendor	Product	Version
	TYPO3	typo3	Version: >= 12.0.0, < 12.4.31 Version: >= 13.0.0, < 13.4.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47936",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-20T13:48:47.311067Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-20T13:48:54.441Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 12.0.0, \u003c 12.4.31"
            },
            {
              "status": "affected",
              "version": "\u003e= 13.0.0, \u003c 13.4.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forgery (CSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-20T13:59:19.751Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx"
        },
        {
          "name": "https://typo3.org/security/advisory/typo3-core-sa-2025-012",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-012"
        }
      ],
      "source": {
        "advisory": "GHSA-p4xx-m758-3hpx",
        "discovery": "UNKNOWN"
      },
      "title": "TYPO3 Vulnerable to Server Side Request Forgery via Webhooks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47936",
    "datePublished": "2025-05-20T13:23:52.952Z",
    "dateReserved": "2025-05-14T10:32:43.529Z",
    "dateUpdated": "2025-05-20T13:59:19.751Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-47936\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-20T14:15:50.287\",\"lastModified\":\"2025-05-21T20:25:16.407\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forgery (CSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.\"},{\"lang\":\"es\",\"value\":\"TYPO3 es un sistema de gesti\u00f3n de contenido web de c\u00f3digo abierto basado en PHP. En las versiones de la rama 12.x anteriores a la 12.4.31 LTS y de la rama 13.x anteriores a la 13.4.2 LTS, los webhooks son inherentemente vulnerables a Cross-Site Request Forgery (CSRF), que puede ser explotada por atacantes para atacar recursos internos (por ejemplo, el host local u otros servicios de la red local). Si bien esto no es una vulnerabilidad propia de TYPO3, puede permitir a los atacantes acceder a sistemas que de otro modo ser\u00edan inaccesibles. Se requiere una cuenta de usuario de backend con nivel de administrador para explotar esta vulnerabilidad. Los usuarios deben actualizar a la versi\u00f3n 12.4.31 LTS o 13.4.12 LTS de TYPO3 para solucionar el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":3.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.7,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2025-012\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47936\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-20T13:48:47.311067Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-20T13:48:32.212Z\"}}], \"cna\": {\"title\": \"TYPO3 Vulnerable to Server Side Request Forgery via Webhooks\", \"source\": {\"advisory\": \"GHSA-p4xx-m758-3hpx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"TYPO3\", \"product\": \"typo3\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 12.0.0, \u003c 12.4.31\"}, {\"status\": \"affected\", \"version\": \"\u003e= 13.0.0, \u003c 13.4.12\"}]}], \"references\": [{\"url\": \"https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx\", \"name\": \"https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2025-012\", \"name\": \"https://typo3.org/security/advisory/typo3-core-sa-2025-012\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forgery (CSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-20T13:59:19.751Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-47936\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-20T13:59:19.751Z\", \"dateReserved\": \"2025-05-14T10:32:43.529Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-20T13:23:52.952Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

wid-sec-w-2025-1106

Vulnerability from csaf_certbund

Published

2025-05-19 22:00

Modified

2025-05-20 22:00

Summary

TYPO3 Core: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

TYPO3 ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.

Angriff

Ein Angreifer kann mehrere Schwachstellen in TYPO3 Core ausnutzen, um Dateien zu manipulieren, Informationen auszuspähen, Sicherheitsvorkehrungen zu umgehen, einen Denial-of-Service auszulösen oder seine Privilegien zu erweitern.

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "TYPO3 ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in TYPO3 Core ausnutzen, um Dateien zu manipulieren, Informationen auszusp\u00e4hen, Sicherheitsvorkehrungen zu umgehen, einen Denial-of-Service auszul\u00f6sen oder seine Privilegien zu erweitern.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1106 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1106.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1106 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1106"
      },
      {
        "category": "external",
        "summary": "Typo3 Release Notes vom 2025-05-19",
        "url": "https://typo3.org/article/typo3-13412-and-12431-security-releases-published"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-05-19",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-011"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-05-19",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-012"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-05-19",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-013"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-05-19",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-014"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-05-19",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-015"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-05-19",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-016"
      }
    ],
    "source_lang": "en-US",
    "title": "TYPO3 Core: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-21T07:59:08.772+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1106",
      "initial_release_date": "2025-05-19T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-05-19T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-05-20T22:00:00.000+00:00",
          "number": "2",
          "summary": "Korrektur"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c13.4.12 LTS",
                "product": {
                  "name": "TYPO3 Core \u003c13.4.12 LTS",
                  "product_id": "T044000"
                }
              },
              {
                "category": "product_version",
                "name": "13.4.12 LTS",
                "product": {
                  "name": "TYPO3 Core 13.4.12 LTS",
                  "product_id": "T044000-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:13.4.12_lts"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c12.4.31 LTS",
                "product": {
                  "name": "TYPO3 Core \u003c12.4.31 LTS",
                  "product_id": "T044001"
                }
              },
              {
                "category": "product_version",
                "name": "12.4.31 LTS",
                "product": {
                  "name": "TYPO3 Core 12.4.31 LTS",
                  "product_id": "T044001-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:12.4.31_lts"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Core"
          }
        ],
        "category": "vendor",
        "name": "TYPO3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-47936",
      "product_status": {
        "known_affected": [
          "T044001",
          "T044000"
        ]
      },
      "release_date": "2025-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-47936"
    },
    {
      "cve": "CVE-2025-47937",
      "product_status": {
        "known_affected": [
          "T044001",
          "T044000"
        ]
      },
      "release_date": "2025-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-47937"
    },
    {
      "cve": "CVE-2025-47938",
      "product_status": {
        "known_affected": [
          "T044001",
          "T044000"
        ]
      },
      "release_date": "2025-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-47938"
    },
    {
      "cve": "CVE-2025-47939",
      "product_status": {
        "known_affected": [
          "T044001",
          "T044000"
        ]
      },
      "release_date": "2025-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-47939"
    },
    {
      "cve": "CVE-2025-47940",
      "product_status": {
        "known_affected": [
          "T044001",
          "T044000"
        ]
      },
      "release_date": "2025-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-47940"
    },
    {
      "cve": "CVE-2025-47941",
      "product_status": {
        "known_affected": [
          "T044001",
          "T044000"
        ]
      },
      "release_date": "2025-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-47941"
    }
  ]
}

fkie_cve-2025-47936

Vulnerability from fkie_nvd

Published

2025-05-20 14:15

Modified

2025-05-21 20:25

Severity ?

3.3 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx
	security-advisories@github.com	https://typo3.org/security/advisory/typo3-core-sa-2025-012

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forgery (CSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem."
    },
    {
      "lang": "es",
      "value": "TYPO3 es un sistema de gesti\u00f3n de contenido web de c\u00f3digo abierto basado en PHP. En las versiones de la rama 12.x anteriores a la 12.4.31 LTS y de la rama 13.x anteriores a la 13.4.2 LTS, los webhooks son inherentemente vulnerables a Cross-Site Request Forgery (CSRF), que puede ser explotada por atacantes para atacar recursos internos (por ejemplo, el host local u otros servicios de la red local). Si bien esto no es una vulnerabilidad propia de TYPO3, puede permitir a los atacantes acceder a sistemas que de otro modo ser\u00edan inaccesibles. Se requiere una cuenta de usuario de backend con nivel de administrador para explotar esta vulnerabilidad. Los usuarios deben actualizar a la versi\u00f3n 12.4.31 LTS o 13.4.12 LTS de TYPO3 para solucionar el problema."
    }
  ],
  "id": "CVE-2025-47936",
  "lastModified": "2025-05-21T20:25:16.407",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-20T14:15:50.287",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-012"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-p4xx-m758-3hpx

Vulnerability from github

Published

2025-05-20 19:20

Modified

2025-05-20 19:20

Severity ?

3.3 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

Summary

TYPO3 CMS Webhooks Server Side Request Forgery

Details

Problem

Webhooks are inherently vulnerable to Server-Side Request Forgery (SSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability.

Solution

Update to TYPO3 versions 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

[!IMPORTANT]

Manual actions required

To mitigate potential SSRF risks via webhooks, it is recommended to explicitly allow access only to trusted hosts. This can be achieved by configuring the allowlist in $GLOBALS['TYPO3_CONF_VARS']['HTTP']['allowed_hosts']['webhooks'].

If the allowlist is not defined or set to null, all requests will be allowed. If the allowlist is an empty array, all requests will be blocked.

By default, the factory setting allows all requests. This prevents existing webhooks from failing after upgrading to the affected TYPO3 versions. Administrators must configure this setting manually to enforce restrictions.

Credits

Thanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.4.30"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.4.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-20T19:20:55Z",
    "nvd_published_at": "2025-05-20T14:15:50Z",
    "severity": "LOW"
  },
  "details": "### Problem\nWebhooks are inherently vulnerable to Server-Side Request Forgery (SSRF), which can be exploited by adversaries to target internal resources (e.g., _localhost_ or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability.\n\n### Solution\nUpdate to TYPO3 versions 12.4.31 LTS, 13.4.12 LTS that fix the problem described.\n\n\u003e [!IMPORTANT]\n\u003e\n\u003e **Manual actions required**\n\u003e\n\u003e To mitigate potential SSRF risks via webhooks, it is recommended to explicitly allow access only to trusted hosts. This can be achieved by configuring the allowlist in `$GLOBALS[\u0027TYPO3_CONF_VARS\u0027][\u0027HTTP\u0027][\u0027allowed_hosts\u0027][\u0027webhooks\u0027]`.\n\u003e \n\u003e If the allowlist is not defined or set to `null`, all requests will be allowed.\n\u003e If the allowlist is an empty `array`, all requests will be blocked.\n\u003e \n\u003e By default, the factory setting allows all requests. This prevents existing webhooks from failing after upgrading to the affected TYPO3 versions. Administrators must configure this setting manually to enforce restrictions.\n\n\n### Credits\nThanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core \u0026 security team member Benjamin Franzke for fixing it.",
  "id": "GHSA-p4xx-m758-3hpx",
  "modified": "2025-05-20T19:20:55Z",
  "published": "2025-05-20T19:20:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-p4xx-m758-3hpx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47936"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/webhooks/commit/0df8b8adae577876fa253679c9ef3fe2a7ee64fd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/webhooks"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 CMS Webhooks Server Side Request Forgery"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-47936 (GCVE-0-2025-47936)

Vulnerability from cvelistv5

wid-sec-w-2025-1106

Vulnerability from csaf_certbund

fkie_cve-2025-47936

Vulnerability from fkie_nvd

ghsa-p4xx-m758-3hpx

Vulnerability from github

Problem

Solution

Credits

Tags

Sightings

Nomenclature