CVE-2025-47939

{"id": "CVE-2025-47939", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2025-05-20T14:15:50.787", "references": [{"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-9hq9-cr36-4wpj", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://typo3.org/security/advisory/typo3-core-sa-2025-014", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-351"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3\u2019s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`) starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem."}, {"lang": "es", "value": "TYPO3 es un sistema de gesti\u00f3n de contenido web de c\u00f3digo abierto basado en PHP. Por dise\u00f1o, el m\u00f3dulo de gesti\u00f3n de archivos de la interfaz de usuario backend de TYPO3 ha permitido hist\u00f3ricamente la carga de cualquier tipo de archivo, excepto aquellos que se ejecutan directamente en un servidor web. Esta ausencia de restricciones permite cargar archivos potencialmente da\u00f1inos, como binarios ejecutables (p. ej., archivos `.exe`) o archivos con extensiones y tipos MIME inconsistentes (por ejemplo, un archivo con la extensi\u00f3n `.png` incorrecta, pero que en realidad contiene el tipo MIME `application/zip`) a partir de la versi\u00f3n 9.0.0 y anteriores a las versiones 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS y 13.4.12 LTS. Aunque estos archivos no se ejecutan directamente a trav\u00e9s del servidor web, su presencia puede suponer riesgos indirectos. Por ejemplo, servicios de terceros, como antivirus o sistemas de detecci\u00f3n de malware, podr\u00edan marcar o bloquear el acceso al sitio web a los usuarios finales si se encuentran archivos sospechosos. Esto podr\u00eda afectar negativamente la disponibilidad o la reputaci\u00f3n del sitio. Los usuarios deben actualizar a las versiones 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS o 13.4.12 LTS de TYPO3 para solucionar el problema."}], "lastModified": "2025-09-03T17:25:35.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C934C013-7EE6-4A22-82D1-A3BEAF737E93", "versionEndExcluding": "9.5.51", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "715A1114-6067-492F-B0D8-35E2A716384E", "versionEndExcluding": "10.4.50", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F1A88B2-0BFA-42E7-8F49-835C8F2D4E3F", "versionEndExcluding": "11.5.44", "versionStartIncluding": "11.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05F9DC80-7BBC-42A0-800E-EF90CA604C7F", "versionEndExcluding": "12.4.31", "versionStartIncluding": "12.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10E529B8-AA31-4603-800C-39AF3CCBA1E7", "versionEndExcluding": "13.4.12", "versionStartIncluding": "13.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}