CVE-2024-55894 — Cross-Site Request Forgery in Typo3

CWE-352 — Cross-Site Request Forgery CWE-749 — Exposed Dangerous Method or Function4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.3

EPSS

0.2%

top 54.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 Cms-beuser

Timeline

PublishedJan 14

Description

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session o…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶Packagisttypo3/cms-beuser10.0.0 — 10.4.48+3

▶NVDtypo3/typo310.0.0 — 10.4.48+3

▶CVEListV5typo3/typo34 versions+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

TYPO3 Cross-Site Request Forgery in Backend User Module↗2025-01-14

▶

OSV

TYPO3 Cross-Site Request Forgery in Backend User Module↗2025-01-14

▶

CVEList

TYPO3 Cross-Site Request Forgery in Backend User Module↗2025-01-14

▶