CVE-2024-55945

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Jan 14, 2025

CWE ID 352

CWE ID 749

Summary

CVE-2024-55945: A significant vulnerability has been discovered in the TYPO3 Content Management Framework's backend user interface. This issue, which involves deep links and Cross-Site Request Forgery (CSRF), can lead to state-changing actions in downstream components being accepted via HTTP GET instead of the required HTTP method. Exploitation necessitates an active session on the backend user interface, which can be compromised if a user clicks on a malicious URL or visits a manipulated website with specific misconfigured settings, such as disabled `security.backend.enforceReferrer` and `BE/cookieSameSite` set to `lax` or `none`. The DB Check Module is the affected downstream component, allowing attackers to manipulate data through unauthorized actions. Users are strongly advised to upgrade to TYPO3 versions 11.5.42 ELTS to address this vulnerability. No known workarounds are currently available.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

TYPO3

Affected Vendors

TYPO3

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Threats to the 2025 NATO Summit

Artificial Eyes: Generative AI in China’s Military Intelligence

GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT

Know What Matters

For Customers

For Partners