Miggo Logo

CVE-2025-47938: TYPO3 Unverified Password Change for Backend Users

3.8

CVSS Score
3.1

Basic Information

EPSS Score
0.18981%
Published
5/20/2025
Updated
5/20/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 9.0.0, <= 9.5.509.5.51
typo3/cms-setupcomposer>= 9.0.0, <= 9.5.509.5.51
typo3/cms-corecomposer>= 10.0.0, <= 10.4.4910.4.50
typo3/cms-corecomposer>= 11.0.0, <= 11.5.4311.5.44
typo3/cms-corecomposer>= 12.0.0, <= 12.4.3012.4.31
typo3/cms-corecomposer>= 13.0.0, <= 13.4.1113.4.12
typo3/cms-setupcomposer>= 10.0.0, <= 10.4.4910.4.50
typo3/cms-setupcomposer>= 11.0.0, <= 11.5.4311.5.44
typo3/cms-setupcomposer>= 12.0.0, <= 12.4.3012.4.31
typo3/cms-setupcomposer>= 13.0.0, <= 13.4.1113.4.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability allows changing backend user passwords without verifying the current password. This issue manifested in two primary ways:

  1. In the 'User Setup' module, handled by TYPO3\CMS\Setup\Controller\SetupModuleController::storeIncomingData. The existing logic for checking the current password was insufficient or could be bypassed, particularly for admin users. The patch removes this direct password checking logic.
  2. In general backend user editing forms, where data is processed by TYPO3\CMS\Core\DataHandling\DataHandler::process_datamap. The DataHandler relied on TCA configurations, which, for the be_users.password field, did not mandate any specific authentication context (like current password check or step-up auth). The patch adds an authenticationContext to the TCA for the password field.

Both functions were involved in processing password change requests without adequate verification. The patches introduce a system-wide step-up authentication requirement for such sensitive operations, moving away from direct (and flawed) current password checks within specific controllers or relying on TCA to enforce stricter authentication for the DataHandler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Pro*l*m T** ***k*n* us*r m*n***m*nt int*r**** *llows p*sswor* ***n**s wit*out r*quirin* t** *urr*nt p*sswor*. W**n *n **ministr*tor up**t*s t**ir own ***ount or mo*i*i*s ot**r us*r ***ounts vi* t** **min int*r****, t** *urr*nt p*sswor* is not r*q

Reasoning

T** vuln*r**ility *llows ***n*in* ***k*n* us*r p*sswor*s wit*out v*ri*yin* t** *urr*nt p*sswor*. T*is issu* m*ni**st** in two prim*ry w*ys: *. In t** 'Us*r S*tup' mo*ul*, **n*l** *y `TYPO*\*MS\S*tup\*ontroll*r\S*tupMo*ul**ontroll*r::stor*In*omin***t*