SCA: security update for typo3/cms-backend (GHSA-744g-7qm9-hjh9)

high Tenable Self-Hosted Container Security Plugin ID 434738

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to
12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented
during backend login can be bypassed due to insufficient enforcement of access restrictions on all backend
routes. Successful exploitation requires valid backend user credentials, as MFA can only be bypassed after
successful authentication. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the
problem. (CVE-2025-47941)

See Also

https://github.com/advisories/GHSA-744g-7qm9-hjh9

Plugin Details

Severity: High

ID: 434738

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.86

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.3

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2025-47941

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/20/2025

Vulnerability Publication Date: 5/20/2025

Reference Information

CVE: CVE-2025-47941

cwe: CWE-288