CVE-2024-55945

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 11.5.42 ELTS

Description A vulnerability has been identified in the backend user interface functionality involving deep links, which is susceptible to Cross-Site Request Forgery (CSRF). State-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend. This can occur when the user opens a malicious link or visits a compromised website with misconfigured settings, such as disabled security.backend.enforceReferrer feature or BE/cookieSameSite configuration set to lax or none. The vulnerability in the affected downstream component "DB Check Module" allows attackers to manipulate data through unauthorized actions.

Recommendations Update to TYPO3 version 11.5.42 ELTS to fix the problem described. As a temporary workaround, consider disabling the security.backend.enforceReferrer feature and setting BE/cookieSameSite configuration to a more secure value until the update is applied. Restrict access to the "DB Check Module" to minimize the risk of exploitation. Avoid using HTTP GET for state-changing actions in downstream components until the issue is resolved.