CVE-2024-55894

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 11.5.42 ELTS TYPO3 versions prior to 12.4.25 LTS TYPO3 versions prior to 13.4.3 LTS

Description A vulnerability has been identified in the backend user interface functionality involving deep links, which is susceptible to Cross-Site Request Forgery (CSRF). State-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend. This can occur when the user opens a malicious link or visits a compromised website while specific settings are misconfigured, such as the security.backend.enforceReferrer feature being disabled or the BE/cookieSameSite configuration being set to lax or none. The vulnerability in the affected downstream component "Backend User Module" allows attackers to initiate password resets for other backend users or to terminate their user sessions.

Recommendations Update to TYPO3 version 11.5.42 ELTS to resolve the issue. Update to TYPO3 version 12.4.25 LTS to resolve the issue. Update to TYPO3 version 13.4.3 LTS to resolve the issue. As a temporary workaround, consider enabling the security.backend.enforceReferrer feature and setting the BE/cookieSameSite configuration to a more secure value to minimize the risk of exploitation.