CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-7900 – Insecure Direct Object Reference in extension "femanager" (femanager)
https://notcve.org/view.php?id=CVE-2025-7900
22 Jul 2025 — The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0 • https://typo3.org/security/advisory/typo3-ext-sa-2025-010 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7899 – Insecure Direct Object Reference in extension "powermail" (powermail)
https://notcve.org/view.php?id=CVE-2025-7899
22 Jul 2025 — The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0 The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0 • https://typo3.org/security/advisory/typo3-ext-sa-2025-009 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48200
https://notcve.org/view.php?id=CVE-2025-48200
21 May 2025 — The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. • https://typo3.org/security/advisory/typo3-ext-sa-2025-008 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48201
https://notcve.org/view.php?id=CVE-2025-48201
21 May 2025 — The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. • https://typo3.org/security/advisory/typo3-ext-sa-2025-007 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-48202
https://notcve.org/view.php?id=CVE-2025-48202
21 May 2025 — The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference. • https://typo3.org/security/advisory/typo3-ext-sa-2025-006 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-48203
https://notcve.org/view.php?id=CVE-2025-48203
21 May 2025 — The cs_seo extension through 9.2.0 for TYPO3 allows XSS. • https://typo3.org/security/advisory/typo3-ext-sa-2025-005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48204
https://notcve.org/view.php?id=CVE-2025-48204
21 May 2025 — The ns_backup extension through 13.0.0 for TYPO3 allows command injection. • https://typo3.org/security/advisory/typo3-ext-sa-2025-007 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48205
https://notcve.org/view.php?id=CVE-2025-48205
21 May 2025 — The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. • https://typo3.org/security/advisory/typo3-ext-sa-2025-008 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48206
https://notcve.org/view.php?id=CVE-2025-48206
21 May 2025 — The ns_backup extension through 13.0.0 for TYPO3 allows XSS. • https://typo3.org/security/advisory/typo3-ext-sa-2025-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48207
https://notcve.org/view.php?id=CVE-2025-48207
21 May 2025 — The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference. • https://typo3.org/security/advisory/typo3-ext-sa-2025-004 • CWE-425: Direct Request ('Forced Browsing') •