CVE-2024-55922 in TYPO3info

Summary

by MITRE • 01/14/2025

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none The vulnerability in the affected downstream component “Form Framework Module” allows attackers to manipulate or delete persisted form definitions. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described. There are no known workarounds for this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/27/2025

The vulnerability identified as CVE-2024-55922 affects TYPO3, a widely used open source Content Management Framework that powers numerous websites and web applications. This security flaw resides within the backend user interface functionality, specifically targeting the deep linking mechanisms that allow users to navigate directly to specific sections of the administration interface. The vulnerability manifests through Cross-Site Request Forgery (CSRF) exploitation, which represents a serious threat to web application security as it allows attackers to perform unauthorized actions on behalf of authenticated users. The flaw demonstrates characteristics consistent with CWE-352, which categorizes Cross-Site Request Forgery vulnerabilities, and aligns with ATT&CK technique T1531 for Establishing Persistence through Web Shell and T1213 for Data from Information Repositories, highlighting the potential for unauthorized modifications to critical application components.

The technical implementation of this vulnerability stems from improper validation of HTTP request methods within downstream components, particularly the Form Framework Module. The system incorrectly accepts state-changing actions through HTTP GET requests rather than enforcing the appropriate POST method, which violates fundamental security principles for modifying application state. This misconfiguration creates a pathway for attackers to craft malicious URLs that, when executed by an authenticated user, can trigger destructive operations such as manipulation or deletion of persisted form definitions. The vulnerability requires a specific attack scenario involving a victim with an active backend session, making it particularly dangerous in environments where users frequently interact with external links or compromised websites. The exploitation process leverages the victim's existing authentication context, making it more effective than attacks requiring additional credential acquisition.

The operational impact of this vulnerability extends beyond simple data manipulation to potentially compromise the entire content management infrastructure. When attackers successfully exploit this flaw, they can modify or delete critical form definitions that may contain sensitive configuration data, user input handling rules, or integration points with external systems. This capability can lead to service disruption, data loss, or even provide attackers with additional attack vectors through compromised form configurations. The vulnerability's exploitation is facilitated by misconfigurations in the TYPO3 backend security settings, specifically when the `security.backend.enforceReferrer` feature is disabled and the `BE/cookieSameSite` configuration is set to lax or none. These misconfigurations create an environment where the CSRF protection mechanisms fail to adequately validate request origins, making the application more susceptible to attacks that would otherwise be prevented by proper security controls.

The recommended mitigation strategy involves upgrading to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS, which contain the necessary patches to address both the CSRF implementation issues and the improper HTTP method handling in the Form Framework Module. These updates resolve the underlying security flaws by implementing proper CSRF token validation and enforcing appropriate HTTP method restrictions for state-changing operations. The absence of known workarounds for this vulnerability underscores the importance of immediate patching, as organizations cannot rely on configuration changes or temporary fixes to address the fundamental implementation flaws. Security teams should prioritize this update across all TYPO3 installations, particularly those running versions prior to the patched releases, as the vulnerability represents a significant risk to backend security and data integrity. The vulnerability's classification as a CSRF issue aligns with security frameworks that emphasize the importance of proper request validation and the principle of least privilege in web application design.

Responsible

GitHub M

Reservation

12/13/2024

Disclosure

01/14/2025

Moderation

accepted

CPE

ready

EPSS

0.00183

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!