CVE-2024-55894
📋 TL;DR
This CSRF vulnerability in TYPO3's backend user interface allows attackers to perform unauthorized password resets or session terminations for other backend users. It affects TYPO3 installations with specific misconfigurations where users have active backend sessions. Attackers must trick authenticated users into clicking malicious links.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Attackers could reset passwords for administrative users, potentially gaining full backend access and compromising the entire CMS installation.
Likely Case
Targeted attacks against specific backend users to reset their passwords or terminate their sessions, causing service disruption.
If Mitigated
With proper security configurations enabled, the vulnerability cannot be exploited even if users click malicious links.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2025-004
Restart Required: No
Instructions:
1. Identify your TYPO3 version. 2. Update to the appropriate patched version: 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS. 3. Clear caches after update.
🔧 Temporary Workarounds
Enable Referrer Enforcement
allEnable the security.backend.enforceReferrer feature to prevent CSRF attacks
Set $GLOBALS['TYPO3_CONF_VARS']['BE']['enforceReferrer'] = true; in LocalConfiguration.php
Configure Secure Cookie Settings
allSet BE/cookieSameSite to 'strict' to prevent cross-site requests
Set $GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'strict'; in LocalConfiguration.php
🧯 If You Can't Patch
- Enable both security.backend.enforceReferrer and set BE/cookieSameSite to 'strict'
- Educate users about not clicking suspicious links while logged into backend
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version via Admin Tools > System > Environment. If version is below 11.5.42, 12.4.25, or 13.4.3, you are vulnerable.Check Version:
php typo3/sysext/core/bin/typo3 --versionVerify Fix Applied:
Verify version is 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS or higher. Test that password reset and session termination actions require POST requests.📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests for different users from same IP/session
- GET requests to backend user management endpoints that should be POST
Network Indicators:
- Unusual referrer headers in backend requests
- Cross-origin requests to backend user endpoints
SIEM Query:
source="typo3.log" AND ("password reset" OR "session terminated") AND method="GET"🔗 References
- https://github.com/TYPO3-CMS/beuser/commit/18603efc3a66d3255fdd04eb6bda6b4d6a95abea
- https://github.com/TYPO3-CMS/beuser/commit/1bb317cb2bc0b2f6ba4f758a088f060b36c67f9d
- https://github.com/TYPO3-CMS/beuser/commit/4142112a878f8805234729751bc6b9c0091560ab
- https://github.com/TYPO3/typo3/security/advisories/GHSA-6w4x-gcx3-8p7v
- https://typo3.org/security/advisory/typo3-core-sa-2025-004
