Cross-Site Request Forgery Vulnerability in TYPO3 Backend User Interface
CVE-2024-55921

7.5HIGH

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 14 January 2025

What is CVE-2024-55921?

TYPO3, a widely used open-source Content Management Framework, has a vulnerability in its backend user interface that is vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows an attacker to initiate state-changing actions without proper authorization if they can persuade a user to click on a malicious link while logged in. This situation is exacerbated by misconfigurations such as disabling the security.backend.enforceReferrer feature or configuring BE/cookieSameSite settings improperly. Additionally, the vulnerability in the 'Extension Manager Module' permits attackers to inadvertently retrieve and install unauthorized third-party extensions from the TYPO3 Extension Repository, potentially leading to remote code execution. It is crucial for TYPO3 users to upgrade to the patched versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS to mitigate this risk.

Affected Version(s)

typo3 >= 10.0.0, < 10.4.48 < 10.0.0, 10.4.48

typo3 >= 11.0.0, < 11.5.42 < 11.0.0, 11.5.42

typo3 >= 12.0.0, < 12.4.25 < 12.0.0, 12.4.25

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-4...

x_refsource_CONFIRM

https://typo3.org/security/advisory/typo3-core-sa-2025-006

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 14, 2025

Typo3

What is CVE-2024-55921?

Affected Version(s)

References

CVSS V3.1

Timeline