CVE-2021-41113

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 11.5.0

Description A cross-site request forgery issue has been discovered in the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface. This issue can be exploited without the need for the attacker to be authenticated and is not limited to the same site context. In a worst-case scenario, an attacker could create a new admin user account to compromise the system. The attack requires the victim to have an active session in the TYPO3 backend and to access a compromised system. Specific Same-Site cookie settings are required for the attack to be successful, including SameSite=strict for attacks from a different domain and SameSite=lax or none for attacks from a different top-level domain.

Recommendations Update to TYPO3 version 11.5.0 to address the issue.