CSRF Vulnerability in TYPO3 Backend User Interface
CVE-2024-55894

4.3MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 14 January 2025

What is CVE-2024-55894?

A security vulnerability has been found in the TYPO3 backend user interface concerning the handling of deep links. This flaw opens potential entry points for Cross-Site Request Forgery (CSRF) attacks, where malicious actors can exploit weak configurations to manipulate backend user actions. The issue arises when critical state-changing operations in the Backend User Module accept HTTP GET requests without the necessary validations. For exploitation to be successful, attackers rely on users being tricked into clicking harmful URLs while their session is active. This vulnerability is particularly exacerbated when certain settings, such as 'security.backend.enforceReferrer' being disabled and 'BE/cookieSameSite' set to lax or none, are improperly configured. TYPO3 advises immediate updates to the secure versions mentioned to mitigate these risks.

Affected Version(s)

typo3 >= 10.0.0, < 10.4.48 < 10.0.0, 10.4.48

typo3 >= 11.0.0, < 11.5.42 < 11.0.0, 11.5.42

typo3 >= 12.0.0, < 12.4.25 < 12.0.0, 12.4.25

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-6...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 14, 2025

Typo3

What is CVE-2024-55894?

Affected Version(s)

References

CVSS V3.1

Timeline