How severe is CVE-2025-47938?

This vulnerability has a severity rating of LOW with a CVSS score of 3.8 out of 10.

What type of vulnerability is CVE-2025-47938?

This is classified as CWE-620, which is a common weakness in software security.

CVE-2025-47938 - LOW Severity | CVSS 3.8

Vulnerability Description

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

Related Vulnerabilities

CVE-2025-3793

MEDIUM

CVSS:4.2(Medium)

The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password t...

CWE-6202025

CVE-2023-4381

MEDIUM

CVSS:4.3(Medium)

Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CWE-6202023

CVE-2023-5844

MEDIUM

CVSS:4.3(Medium)

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.

CWE-6202023

CVE-2025-3849

MEDIUM

CVSS:4.3(Medium)

A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This vulnerability affects unknown code of the file /api/studentPWD. The manipulation of the argument stud...

CWE-6202025

CVE-2025-46748

LOW

CVSS:2.7(Low)

An authenticated user attempting to change their password could do so without using the current password.

CWE-6202025

CVE-2021-34786

MEDIUM

CVSS:4.9(Medium)

Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to delete arbitrary user accounts or gain elevated privileges on an affected s...

CWE-6202021