Cross-Site Request Forgery in TYPO3 Content Management Framework Backend
CVE-2024-55924

8HIGH

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 14 January 2025

What is CVE-2024-55924?

A vulnerability has been discovered in the TYPO3 Content Management Framework that exposes the backend user interface to Cross-Site Request Forgery (CSRF) attacks. This issue arises from faulty deep linking functionality, which improperly handles state-changing actions. When the security settings are misconfigured—specifically if the 'security.backend.enforceReferrer' feature is disabled and the 'BE/cookieSameSite' setting allows lax or no restrictions—attackers can exploit the vulnerability by tricking users into clicking malicious links. To exploit this vulnerability, an attacker needs the victim to have an active backend session and to interact with a crafted URL. This could lead to unauthorized actions within the platform such as data import and export. Users are strongly encouraged to update their TYPO3 installations to version 11.5.42 ELTS to mitigate this risk. Currently, no workarounds exist.

Affected Version(s)

typo3 >= 11.0.0, < 11.5.42

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-7...

x_refsource_CONFIRM

https://typo3.org/security/advisory/typo3-core-sa-2025-009

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 14, 2025

Typo3

What is CVE-2024-55924?

Affected Version(s)

References

CVSS V3.1

Timeline