Cross-Site Request Forgery Vulnerability in TYPO3 Backend User Interface
CVE-2024-55920

4.3MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 14 January 2025

What is CVE-2024-55920?

A vulnerability has been found in the TYPO3 Content Management Framework's backend user interface, specifically in the deep link functionality. This flaw makes the system vulnerable to Cross-Site Request Forgery (CSRF) attacks. The vulnerability occurs when state-changing actions are processed incorrectly via HTTP GET requests, lacking the enforcement of the legitimate HTTP method. Attackers may exploit this by deceiving a logged-in user into clicking on a malicious link or visiting a compromised site, particularly when certain security settings, including security.backend.enforceReferrer and BE/cookieSameSite, are misconfigured. Successful exploitation can lead to unauthorized manipulation of the user's dashboard configuration. Users are highly encouraged to update to newer TYPO3 versions to safeguard against these threats.

Affected Version(s)

typo3 >= 10.0.0, < 10.4.48 < 10.0.0, 10.4.48

typo3 >= 11.0.0, < 11.5.42 < 11.0.0, 11.5.42

typo3 >= 12.0.0, < 12.4.25 < 12.0.0, 12.4.25

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-q...

x_refsource_CONFIRM

https://typo3.org/security/advisory/typo3-core-sa-2025-005

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 14, 2025

Typo3

What is CVE-2024-55920?

Affected Version(s)

References

CVSS V3.1

Timeline