CVE-2024-55924
📋 TL;DR
This CSRF vulnerability in TYPO3's backend allows attackers to trick authenticated backend users into executing unauthorized actions via malicious links. When combined with specific misconfigurations, it can trigger pre-defined command classes in the Scheduler Module, potentially leading to data import/export. Only TYPO3 installations with active backend sessions and specific configuration weaknesses are affected.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized import or export of sensitive data through the Scheduler Module's command classes, potentially leading to data exfiltration or system compromise.
Likely Case
Unauthorized backend actions being performed by tricked administrators, such as content modifications or configuration changes.
If Mitigated
No impact if proper referrer enforcement and cookie settings are configured, or if users don't interact with malicious links.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links, plus specific configuration weaknesses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 11.5.42 ELTS
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2025-009
Restart Required: No
Instructions:
1. Backup your TYPO3 installation and database. 2. Update to TYPO3 version 11.5.42 ELTS using the TYPO3 Extension Manager or manual update. 3. Clear all caches after update. 4. Verify the update was successful.
🔧 Temporary Workarounds
Configuration Hardening
allEnable referrer enforcement and configure secure cookie settings to reduce attack surface.
Set $GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'strict' in LocalConfiguration.php
Enable security.backend.enforceReferrer feature
🧯 If You Can't Patch
- Enable security.backend.enforceReferrer feature and set BE/cookieSameSite to 'strict' in configuration
- Implement strict access controls and monitoring for backend user activities, especially Scheduler Module usage
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version and configuration: version must be < 11.5.42 ELTS AND security.backend.enforceReferrer disabled AND BE/cookieSameSite set to lax or none.Check Version:
php typo3/sysext/core/bin/typo3 --versionVerify Fix Applied:
Verify TYPO3 version is 11.5.42 ELTS or higher using the About Modules or version check command.📡 Detection & Monitoring
Log Indicators:
- Unexpected Scheduler Module executions
- Backend actions from unusual IPs or without proper referrer headers
- CSRF token validation failures in backend logs
Network Indicators:
- HTTP GET requests to backend endpoints that should only accept POST
- Requests with missing or malformed referrer headers to backend
SIEM Query:
source="typo3.log" AND ("CSRF" OR "Scheduler" OR "deep link") AND (severity="WARNING" OR severity="ERROR")