CVE-2024-55945
📋 TL;DR
This CSRF vulnerability in TYPO3's backend user interface allows attackers to trick authenticated backend users into performing unauthorized state-changing actions via malicious links. The vulnerability specifically affects the DB Check Module component. Only TYPO3 installations with specific misconfigurations are vulnerable.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate database content, potentially altering or deleting critical data through unauthorized administrative actions.
Likely Case
Attackers could perform limited data manipulation in the database through the DB Check Module functionality.
If Mitigated
With proper security configurations enabled, the vulnerability cannot be exploited even if users click malicious links.
🎯 Exploit Status
Requires authenticated victim, specific misconfigurations, and user interaction with malicious content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 11.5.42 ELTS
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2025-010
Restart Required: No
Instructions:
1. Backup your TYPO3 installation and database. 2. Update to TYPO3 version 11.5.42 ELTS using the TYPO3 Install Tool or Composer. 3. Clear all caches through the TYPO3 backend. 4. Verify the update was successful.
🔧 Temporary Workarounds
Enable Referrer Enforcement
allEnable the security.backend.enforceReferrer feature to prevent CSRF attacks
Set $GLOBALS['TYPO3_CONF_VARS']['BE']['enforceReferrer'] = true; in LocalConfiguration.php
Configure Secure Cookie Settings
allSet BE/cookieSameSite to 'strict' instead of 'lax' or 'none'
Set $GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'strict'; in LocalConfiguration.php
🧯 If You Can't Patch
- Implement both workarounds: enable enforceReferrer and set cookieSameSite to 'strict'
- Restrict backend access to trusted networks only using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version in Install Tool or via command: php typo3/sysext/core/bin/typo3 --versionCheck Version:
php typo3/sysext/core/bin/typo3 --versionVerify Fix Applied:
Confirm version is 11.5.42 ELTS or higher and verify both security configurations are properly set📡 Detection & Monitoring
Log Indicators:
- Unusual DB Check Module activity from unexpected IP addresses
- Multiple failed CSRF token validations in backend logs
Network Indicators:
- HTTP GET requests to backend DB Check endpoints with state-changing parameters
SIEM Query:
source="typo3.log" AND ("DB Check" OR "csrf" OR "referrer") AND (severity="WARNING" OR severity="ERROR")