Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-59015

Summary
Assigner-TYPO3
Assigner Org ID-f4fb688c-4412-4426-b4b8-421ecf27b14a
Published At-09 Sep, 2025 | 09:00
Updated At-09 Sep, 2025 | 19:31
Rejected At-
Credits

Insufficient Entropy in Password Generation

A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:TYPO3
Assigner Org ID:f4fb688c-4412-4426-b4b8-421ecf27b14a
Published At:09 Sep, 2025 | 09:00
Updated At:09 Sep, 2025 | 19:31
Rejected At:
▼CVE Numbering Authority (CNA)
Insufficient Entropy in Password Generation

A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

Affected Products
Vendor
TYPO3 AssociationTYPO3
Product
TYPO3 CMS
Collection URL
https://packagist.org
Package Name
typo3/cms-core
Repo
https://github.com/TYPO3/typo3
Modules
  • Core
Default Status
unaffected
Versions
Affected
  • From 12.0.0 before 12.4.37 (semver)
  • From 13.0.0 before 13.4.18 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-331CWE-331 Insufficient Entropy
Type: CWE
CWE ID: CWE-331
Description: CWE-331 Insufficient Entropy
Metrics
VersionBase scoreBase severityVector
4.06.3MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
Mathias Brodala
remediation developer
Oliver Hader
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://typo3.org/security/advisory/typo3-core-sa-2025-019
vendor-advisory
Hyperlink: https://typo3.org/security/advisory/typo3-core-sa-2025-019
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:f4fb688c-4412-4426-b4b8-421ecf27b14a
Published At:09 Sep, 2025 | 09:15
Updated At:10 Sep, 2025 | 13:42

A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.3MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CPE Matches
TYPO3 Association
typo3
>>typo3>>Versions from 12.0.0(inclusive) to 12.4.37(exclusive)
cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
TYPO3 Association
typo3
>>typo3>>Versions from 13.0.0(inclusive) to 13.4.18(exclusive)
cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-331Secondaryf4fb688c-4412-4426-b4b8-421ecf27b14a
CWE ID: CWE-331
Type: Secondary
Source: f4fb688c-4412-4426-b4b8-421ecf27b14a
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://typo3.org/security/advisory/typo3-core-sa-2025-019f4fb688c-4412-4426-b4b8-421ecf27b14a
Vendor Advisory
Hyperlink: https://typo3.org/security/advisory/typo3-core-sa-2025-019
Source: f4fb688c-4412-4426-b4b8-421ecf27b14a
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2010-3671
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.91% / 75.33%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 19:19
Updated-07 Aug, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3n/a
CWE ID-CWE-384
Session Fixation
CVE-2024-56370
Matching Score-4
Assigner-CPAN Security Group
ShareView Details
Matching Score-4
Assigner-CPAN Security Group
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 57.69%
||
7 Day CHG~0.00%
Published-05 Apr, 2025 | 18:26
Updated-05 Sep, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Net::Xero 0.044 and earlier for Perl uses insecure rand() function for cryptographic functions

Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Net::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

Action-Not Available
Vendor-ELLIOTT
Product-Net::Xero
CWE ID-CWE-331
Insufficient Entropy
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Details not found