N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-12998

GHSA ID

GHSA-49qv-h8pm-73pf

EPSS Score

0.15346%

CWE

CWE-287

Published

11/12/2025

Updated

11/14/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12998

CVE-2025-12998: TYPO3 Modules Extension has Improper Authentication vulnerability

Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules. This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-12998

CVE-2025-12998:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-12998

GHSA ID

GHSA-49qv-h8pm-73pf

EPSS Score

0.15346%

CWE

CWE-287

Published

11/12/2025

Updated

11/14/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
codingms/modules	composer	< 4.3.11	4.3.11
codingms/modules	composer	>= 5.0.0, < 5.7.4	5.7.4
codingms/modules	composer	>= 7.0.0, < 7.5.5	7.5.5
codingms/modules	composer	>= 6.0.0, < 6.4.2	6.4.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit reveals an improper authentication vulnerability within the 'Modules' TYPO3 extension. The core of the issue is in the loginAsFrontendUser function located in Classes/Utility/FrontendUserUtility.php. Before the patch, this function checked if a user was an administrator but critically failed to verify if the user was actually logged in to the backend. This was facilitated by the getBackendUserAuthentication helper function, which insecurely fetched the user object from a global variable. An attacker could exploit this flaw to bypass authentication and impersonate a frontend user. The patch rectifies this by introducing a robust check for an active backend user session using Context->getPropertyFromAspect('backend.user', 'isLoggedIn') and removing the insecure getBackendUserAuthentication function. The identified vulnerable functions, loginAsFrontendUser and getBackendUserAuthentication, would be present in the runtime profile during an exploit of this vulnerability.

Vulnerable functions

CodingMs\Modules\Utility\FrontendUserUtility::loginAsFrontendUser

Classes/Utility/FrontendUserUtility.php

The vulnerability lies in the `loginAsFrontendUser` function, which allows a backend user to log in as a frontend user. The original code only checked if the backend user had admin privileges or if non-admin logins were allowed. It failed to verify if a backend user was actually authenticated and logged in. The patch addresses this by adding an explicit check `isBackendUserLoggedIn` using the TYPO3 Context API, ensuring that only authenticated backend users can use this feature.

CodingMs\Modules\Utility\FrontendUserUtility::getBackendUserAuthentication

Classes/Utility/FrontendUserUtility.php

This helper function was used by `loginAsFrontendUser` to retrieve the backend user object directly from the global `$GLOBALS['BE_USER']` variable. This approach is insecure because it doesn't guarantee that the user object represents a currently authenticated session. An unauthenticated attacker could potentially manipulate the global state or exploit a scenario where `$GLOBALS['BE_USER']` is not properly cleared, leading to an improper authentication bypass. The function was removed as part of the security fix.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-12998: TYPO3 Modules Extension has Improper Authentication vulnerability

CVE-2025-12998:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

CVE-2025-12998: TYPO3 Modules Extension has Improper Authentication vulnerability

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI