CVE-2024-55921

High

Published: 14 January 2025

Published

14 January 2025

Modified

26 August 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0289 86.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Extension Manager Module” allows attackers to retrieve and install 3rd party extensions from the TYPO3 Extension Repository - which can lead to remote code execution in the worst case. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described.

Security Summary

CVE-2024-55921 is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352 and CWE-749 in the backend user interface of TYPO3, a free and open-source Content Management Framework. The issue affects deep link functionality, where state-changing actions in downstream components, such as the Extension Manager Module, incorrectly accept submissions via HTTP GET requests without enforcing the proper HTTP method. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on January 14, 2025.

Exploitation requires the victim to have an active authenticated session in the TYPO3 backend and to be socially engineered into interacting with a malicious URL. Attackers can deliver this via email links or by luring users to compromised or manipulated websites, provided specific misconfigurations exist: the security.backend.enforceReferrer feature is disabled and the BE/cookieSameSite setting is lax or none. Successful attacks on the Extension Manager Module enable retrieval and installation of arbitrary third-party extensions from the TYPO3 Extension Repository, potentially leading to remote code execution.

The official TYPO3 security advisories (TYPO3 Core SA-2025-006 and GitHub GHSA-4g52-pq8j-6qv5) recommend updating to fixed versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS to mitigate the vulnerability.

Details

CWE(s): CWE-352CWE-749

Affected Products

typo3

10.0.0 — 10.4.48 · 11.0.0 — 11.5.42 · 12.0.0 — 12.4.25

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-4g52-pq8j-6qv5
Vendor Advisory · security-advisories@github.com
https://typo3.org/security/advisory/typo3-core-sa-2025-006
Vendor Advisory · security-advisories@github.com