CVE-2024-55921
📋 TL;DR
This CSRF vulnerability in TYPO3's backend allows attackers to trick authenticated backend users into performing unauthorized actions via malicious links. When combined with misconfigured security settings, it enables installation of malicious extensions which could lead to remote code execution. Affects TYPO3 installations with backend user access.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via installation of malicious extensions from TYPO3 Extension Repository, potentially leading to complete system compromise.
Likely Case
Unauthorized installation of extensions, configuration changes, or other backend actions performed without user consent.
If Mitigated
Limited to authenticated backend users with specific misconfigurations; proper security settings prevent exploitation.
🎯 Exploit Status
Requires social engineering to trick authenticated users into clicking malicious links. Exploitation depends on specific security misconfigurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2025-006
Restart Required: No
Instructions:
1. Identify TYPO3 version. 2. Update to patched version: 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS. 3. Apply update via TYPO3 backend or command line. 4. Clear caches after update.
🔧 Temporary Workarounds
Enable Referrer Enforcement
allEnable security.backend.enforceReferrer feature to prevent CSRF via referrer validation
Add to LocalConfiguration.php: $GLOBALS['TYPO3_CONF_VARS']['BE']['enforceReferrer'] = true
Configure Secure Cookie Settings
allSet BE/cookieSameSite to strict to prevent CSRF attacks
Add to LocalConfiguration.php: $GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'strict'
🧯 If You Can't Patch
- Implement both workarounds: enable enforceReferrer and set cookieSameSite to strict
- Restrict backend access to trusted networks only using firewall rules
- Implement web application firewall (WAF) with CSRF protection rules
- Educate users about phishing risks and safe browsing practices
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version and security settings: 1. Version < 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS. 2. security.backend.enforceReferrer = false. 3. BE/cookieSameSite = lax or none.Check Version:
php typo3/sysext/core/bin/typo3 --version OR check TYPO3 backend login page footerVerify Fix Applied:
1. Confirm version is 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS. 2. Verify Extension Manager Module no longer accepts state-changing actions via HTTP GET.📡 Detection & Monitoring
Log Indicators:
- Unexpected extension installations via Extension Manager
- Backend actions from unusual IP addresses or referrers
- GET requests to extension installation endpoints
Network Indicators:
- Outbound connections to TYPO3 Extension Repository from unexpected sources
- HTTP GET requests to backend extension management endpoints
SIEM Query:
source="typo3.log" AND ("Extension Manager" OR "extension installed") AND method="GET"