Miggo Logo

CVE-2025-59019: TYPO3 CSV download feature information disclosure

N/A

CVSS Score

Basic Information

EPSS Score
0.1183%
Published
9/9/2025
Updated
9/9/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-backendcomposer>= 12.0.0, < 12.4.3712.4.37
typo3/cms-backendcomposer>= 13.0.0, < 13.4.1813.4.18
typo3/cms-recordlistcomposer>= 11.0.0, < 11.5.4812.4.37

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability details and the associated patch commit directly point to a missing authorization vulnerability in the CSV download functionality of TYPO3. The commit c983415f062c32f8edbb78544a0ff3219bc35d17 modifies the RecordListDownloadController.php file, specifically within the handleDownloadRequest function. The added code explicitly introduces a permission check ($backendUser->check('tables_select', $this->table)) that was previously absent. This confirms that the handleDownloadRequest function was the entry point for the vulnerability, as it processed the download request without proper authorization. An attacker could have exploited this by crafting a request to this controller to download data from an arbitrary table. Therefore, this function would be present in any runtime profile capturing the exploitation of this information disclosure vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Missin* *ut*oriz*tion ****ks in t** *SV *ownlo** ***tur* o* TYPO* *MS v*rsions **.*.*‑**.*.**, **.*.*‑**.*.**, *n* **.*.*‑**.*.** *llow ***k*n* us*rs to *is*los* in*orm*tion *rom *r*itr*ry **t***s* t**l*s stor** wit*in t** us*rs' w** mounts wit*out *

Reasoning

T** provi*** vuln*r**ility **t*ils *n* t** *sso*i*t** p*t** *ommit *ir**tly point to * missin* *ut*oriz*tion vuln*r**ility in t** *SV *ownlo** *un*tion*lity o* TYPO*. T** *ommit `****************************************` mo*i*i*s t** `R**or*List*ownl