3.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-47938

GHSA ID

GHSA-3jrg-97f3-rqh9

EPSS Score

0.18981%

CWE

CWE-620

Published

5/20/2025

Updated

5/20/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47938

CVE-2025-47938: TYPO3 Unverified Password Change for Backend Users

Problem

The backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification.

This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication.

Solution

Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

[!NOTE] In these versions, administrators are required to verify their identity through step-up authentication (also known as sudo mode) when changing backend user passwords.

Credits

Thanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-47938

CVE-2025-47938:

3.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-47938

GHSA ID

GHSA-3jrg-97f3-rqh9

EPSS Score

0.18981%

CWE

CWE-620

Published

5/20/2025

Updated

5/20/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 9.0.0, <= 9.5.50	9.5.51
typo3/cms-setup	composer	>= 9.0.0, <= 9.5.50	9.5.51
typo3/cms-core

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows changing backend user passwords without verifying the current password. This issue manifested in two primary ways:

In the 'User Setup' module, handled by TYPO3\CMS\Setup\Controller\SetupModuleController::storeIncomingData. The existing logic for checking the current password was insufficient or could be bypassed, particularly for admin users. The patch removes this direct password checking logic.
In general backend user editing forms, where data is processed by TYPO3\CMS\Core\DataHandling\DataHandler::process_datamap. The DataHandler relied on TCA configurations, which, for the be_users.password field, did not mandate any specific authentication context (like current password check or step-up auth). The patch adds an authenticationContext to the TCA for the password field.

Both functions were involved in processing password change requests without adequate verification. The patches introduce a system-wide step-up authentication requirement for such sensitive operations, moving away from direct (and flawed) current password checks within specific controllers or relying on TCA to enforce stricter authentication for the DataHandler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-47938: TYPO3 Unverified Password Change for Backend Users

Problem

Solution

Credits

CVE-2025-47938:

3.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.8

3.8

CVE-2025-47938: TYPO3 Unverified Password Change for Backend Users

Problem

Solution

Credits

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI