Cross-Site Request Forgery in TYPO3 Backend User Interface

CVE-2024-55922

What is CVE-2024-55922?

A vulnerability has been discovered in the TYPO3 backend user interface that affects its deep link functionality, making it susceptible to Cross-Site Request Forgery (CSRF) attacks. This flaw allows malicious actors to manipulate user actions when specific configurations are mismanaged. For exploitation to succeed, the victim must have an active session and inadvertently interact with a malicious URL. Particularly, when security.backend.enforceReferrer is disabled and the BE/cookieSameSite setting is lax or absent, the attacker can exploit this vulnerability, leading to potential unauthorized actions in the backend. The affected downstream component, the Form Framework Module, can be abused to change or eliminate persisted form definitions. To mitigate this risk, users must upgrade to secure TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS immediately, as there are currently no effective workarounds available.

References