CVE-2021-41113 — Use of Password System for Primary Authentication in Typo3

CWE-309 — Use of Password System for Primary Authentication CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

8.8HIGHNVD

CNA8.0

EPSS

0.2%

top 52.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 CMS Typo3 Cms-core

Timeline

PublishedOct 5

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as described in TYPO3-CORE-SA-2020-006 (CVE-2020-11069). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker coul…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Packagisttypo3/cms-core11.2.0 — 11.5.0

▶Packagisttypo3/cms11.2.0 — 11.5.0

▶NVDtypo3/typo311.2.0 — 11.5.0

▶CVEListV5typo3/typo3>= 11.2.0, < 11.5.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-Site-Request-Forgery in Backend↗2021-10-05

▶

GHSA

Cross-Site-Request-Forgery in Backend↗2021-10-05

▶

CVEList

Cross-Site-Request-Forgery in Backend URI Handling in Typo3↗2021-10-05

▶