Typo3 Cms-Form vulnerabilities

CVE-2024-55922 [MEDIUM] CWE-352 TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery ### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce t

CVE-2021-21357 [HIGH] CWE-20 Broken Access Control in Form Framework Broken Access Control in Form Framework ### Problem Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _

CVE-2021-21355 [HIGH] CWE-434 Unrestricted File Upload in Form Framework Unrestricted File Upload in Form Framework ### Problem Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform up

CVE-2021-21358 [MEDIUM] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in typo3/cms-form Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in typo3/cms-form ### Problem It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYP