Cyber Resilience

CVE-2025-47938

Low

Published: 20 May 2025

Published
20 May 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score v3.1 3.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0016 36.4th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47938 is a low-severity Unverified Password Change (CWE-620) vulnerability in Typo3 Typo3. Its CVSS base score is 3.8 (Low).

Operationally, ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring…

more

the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

typo3
typo3
9.0.0 — 9.5.51 · 10.0.0 — 10.4.50 · 11.0.0 — 11.5.44

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References