zum Inhalt springen
back to overview print

Unverified password change in TYPO3 allows attackers to set a new password without knowing the current one

Open Source

NTCF:
NTCF-2025-6472

CVE:
CVE-2025-47938

Product:
TYPO3

Vendor:
TYPO3

Criticality:
low

Status:
fixed

Discovered:
2025-02-06

Detail:
Public

Vulnerable version:
9.0.0-9.5.50, 10.0.0-10.4.49, 11.0.0-11.5.43, 12.0.0-12.4.30, 13.0.0-13.4.11

Fixed version:
9.5.51, 10.4.50, 11.5.44, 12.4.31, 13.4.12

Summary

TYPO3 is an enterprise Content Management System (CMS) developed in PHP. The following versions were found to have an unverified password change for admin users: 9.0.0-9.5.50, 10.0.0-10.4.49, 11.0.0-11.5.43, 12.0.0-12.4.30, 13.0.0-13.4.11.

The risk is increased in scenarios where an admin session is hijacked or left unattended.

Background

TYPO3 is a widely used open source enterprise CMS known for its extensibility and customizability. It allows organizations to build and manage complex websites while offering a range of extensions that enhance its functionality. Various authorities at the national, cantonal and municipality level use TYPO3 - often in contexts where confidentiality, availability and integrity are essential. 

In a pilot project with the NCSC, the NTC evaluated the security of TYPO3 and its extensions to ensure the security of open source software used within the Swiss administration. Read more about the project here.

Vulnerability and Proof of Concept

While testing an TYPO3 application dynamically, it was noticed that a backend admin is able to change their password without being asked for their current one. To do so, one simply has to edit their account via the user management.
In the same settings menu, it is also possible to disable MFA for the current account or create a new admin account without any further security measures.

Password change via user management of current user

Note: A password change is also possible using the user settings in the top menu. However, there the current password is checked by the application.

While this behavior is not a vulnerability in itself, it still presents a security risk. In a session hijacking scenario or on an unattended but logged-in machine, an attacker could change an administrator's password without prior knowledge, leading to account takeover.

Remediation

The behavior has changed to require users to verify their identity through step-up authentication (also known as sudo mode) when changing backend user passwords in change number 89467.

Patches

System operators are encouraged to update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

Timeline

2025-02-06: initial discovery

2025-02-21: private disclosure to vendor

2025-05-20: fix by vendor

2025-10-13: public disclosure