Problem Description

The extension allows the exchange of a serialized file object representation of a previously uploaded file without proper validation. This enables an attacker to inject arbitrary serialized PHP objects, which may be deserialized on the server side, potentially leading to Remote Code Execution (RCE).

The extension does not verify if a specified file identifier is authorized for download. This allows an attacker to disclose and download arbitrary files without further authentication, resulting in an Insecure Direct Object Reference (IDOR) vulnerability.

Solution

An updated version 12.5.0 is available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/sr_feuser_register/12.5.0/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Johannes Seipelt for reporting the RCE vulnerability, to Security Team Member Torben Hansen for reporting the IDOR issue, and to Stanislas Roland for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to sanitize user input resulting in Command Injection when creating a backup. An authenticated backend user with access to the extensions backend module is required to exploit the vulnerability.

The extension saves backup and configuration files to a predictable resource location. This allows an unauthenticated remote user to download created backups and configuration files.

The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface.

Note: The TYPO3 Security Team recommends downloading and removing all previously created backup files to delete any files that may be affected by the Predictable Resource Location vulnerability. Additionally, it is recommended to configure a non-public accessible directory as target folder for backups.

Solution

An updated version 13.0.1 is available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/ns_backup/13.0.1/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Jakub Świes and to Swiss NCSC Vulnerability Management Team for reporting the Command Injection vulnerability, Swiss NCSC Vulnerability Management Team and TYPO3 Security Team Member Torben Hansen for reporting the Predictable Resource Location vulnerability, Swiss NCSC Vulnerability Management Team for reporting the Cross-Site Scripting vulnerabilities and Sanjay Chauhan (NITSAN) for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

A superfluous parameter in the newAction of the newController allows an unauthenticated user to view user data of any frontend user.

Solution

Updated versions 5.5.5, 6.4.1, 7.4.2 and 8.2.2 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/femanager/5.5.5/zip
https://extensions.typo3.org/extension/download/femanager/6.4.1/zip
https://extensions.typo3.org/extension/download/femanager/7.4.2/zip
https://extensions.typo3.org/extension/download/femanager/8.2.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Stefan Busemann for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface. Note, that the vulnerability can only be exploited by a logged in backend user.

Solution

Updated versions 6.8.0, 7.5.0, 8.4.0 and 9.3.0 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/cs_seo/6.8.0/zip
https://extensions.typo3.org/extension/download/cs_seo/7.5.0/zip
https://extensions.typo3.org/extension/download/cs_seo/8.4.0/zip
https://extensions.typo3.org/extension/download/cs_seo/9.3.0/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Alexander Künzl for reporting the issue and to Marc Hirdes for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to validate the downloaduid parameter of the downloadAction resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this vulnerability to download any files available in the system, even protected ones.

Solution

Updated versions 4.0.2 and 5.0.1 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/reint_downloadmanager/4.0.2/zip
https://extensions.typo3.org/extension/download/reint_downloadmanager/5.0.1/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Alexander Künzl for reporting the issue and to Ephraim Härer for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

• Component Type: TYPO3 CMS
• Subcomponent: DataHandler (ext:core)
• Release Date: May 20, 2025
• Vulnerability Type: Broken Authentication
• Affected Versions: 10.4.0-10.4.49, 11.0.0-11.5.43, 12.0.0-12.4.30, 13.0.0-13.4.11
• Severity: High
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• References: CVE-2025-47940, CWE-283

Problem Description

Administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account.

Solution

Update to TYPO3 versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

Credits

Thanks to Alexander Künzl for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Session Handling (ext:backend)
• Release Date: May 20, 2025
• Vulnerability Type: Broken Authentication
• Affected Versions: 12.0.0-12.4.30, 13.0.0-13.4.11
• Severity: High
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• References: CVE-2025-47941, CWE-288

Problem Description

The multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcement of access restrictions on all backend routes.

Successful exploitation requires valid backend user credentials, as MFA can only be bypassed after successful authentication.

Solution

Update to TYPO3 versions 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

Credits

Thanks to Jens Jacobsen and Y. Kahveci for reporting this issue, and to TYPO3 security team member Torben Hansen for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: File Abstraction Layer (ext:core)
• Release Date: May 20, 2025
• Vulnerability Type: Security Misconfiguration
• Affected Versions: 9.0.0-9.5.50, 10.0.0-10.4.49, 11.0.0-11.5.43, 12.0.0-12.4.30, 13.0.0-13.4.11
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
• References: CVE-2025-47939, CWE-351, CWE-434

Problem Description

By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., .exe files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a .png extension but actually carrying the MIME type application/zip).

Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site.

Solution

Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

The mitigation strategies outlined below apply broadly to all file uploads handled through TYPO3's File Abstraction Layer (FAL), not just those performed via the backend interface. This means that any extension or custom integration leveraging FAL will also be subject to the new validation rules and configuration options. Developers are advised to review the implications for their code and refer to the documentation of that change for guidance.

Strong security defaults - Manual actions required

These versions introduce new configuration options to better control which files are permitted for upload and to improve consistency checks.

A new configuration option, $GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext'], has been added. This option allows administrators to explicitly define which file extensions should be permitted that are not already part of the built-in text or media file groups—examples include archive formats such as zip or xz.

In addition, two new feature flags have been introduced to enhance security:
security.system.enforceAllowedFileExtensions, enforces the defined list of allowed file extensions. This flag is enabled by default in new TYPO3 installations, but remains disabled in existing installations to prevent breaking changes.
security.system.enforceFileExtensionMimeTypeConsistency, ensures that the uploaded file’s extension matches its actual MIME type, providing further validation of file integrity. This flag is active by default.

It is recommended to configure the allowed file extensions via $GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext'] and to enable the feature flag security.system.enforceAllowedFileExtensions to enforce the restriction.

Credits

Thanks to Hamed Kohi for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: DataHandler & Setup Module (ext:core, ext:setup)
• Release Date: May 20, 2025
• Vulnerability Type: Security Misconfiguration
• Affected Versions: 9.0.0-9.5.50, 10.0.0-10.4.49, 11.0.0-11.5.43, 12.0.0-12.4.30, 13.0.0-13.4.11
• Severity: Low
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
• References: CVE-2025-47938, CWE-620

Problem Description

The backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification.

This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication.

Solution

Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

In these versions, administrators are required to verify their identity through step-up authentication (also known as sudo mode) when changing backend user passwords.

Strong security defaults

The changed behavior may pose challenges when integrating remote single sign-on (SSO) providers, as these typically do not support a dedicated step-up authentication process. To address this, new PSR-14 events have been introduced: SudoModeRequiredEvent (triggered before showing the sudo-mode verification dialog) and SudoModeVerifyEvent (triggered before actually verifying the submitted password) - see https://docs.typo3.org/permalink/changelog:feature-106743-1747931468 for details.

Credits

Thanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Webhooks (ext:webhooks)
• Release Date: May 20, 2025
• Vulnerability Type: Server-Side Request Forgery
• Affected Versions: 12.0.0-12.4.30, 13.0.0-13.4.11
• Severity: Low
• Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
• References: CVE-2025-47936, CWE-918

Problem Description

Webhooks are inherently vulnerable to Server-Side Request Forgery (SSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability.

Solution

Update to TYPO3 versions 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

Manual actions required

To mitigate potential SSRF risks via webhooks, it is recommended to explicitly allow access only to trusted hosts. This can be achieved by configuring the allowlist in $GLOBALS['TYPO3_CONF_VARS']['HTTP']['allowed_hosts']['webhooks'].

If the allowlist is not defined or set to null, all requests will be allowed.
If the allowlist is an empty array, all requests will be blocked.

By default, the factory setting allows all requests. This prevents existing webhooks from failing after upgrading to the affected TYPO3 versions. Administrators must configure this setting manually to enforce restrictions.

Credits

Thanks to the National Cyber Security Center (NCSC) of Switzerland for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: DBAL (ext:core)
• Release Date: May 20, 2025
• Vulnerability Type: Information Disclosure
• Affected Versions: 9.0.0-9.5.50, 10.0.0-10.4.49, 11.0.0-11.5.43, 12.0.0-12.4.30, 13.0.0-13.4.11
• Severity: Low
• Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
• References: CVE-2025-47937, CWE-863

Problem Description

When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via FrontendGroupRestriction to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users.

Solution

Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

Credits

Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Problem Description

The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface. Additionally, the SEO file module fails to verify whether a user is allowed to view or modify file metadata of a specified file identifier resulting in Broken Access Control and Insecure Direct Object Reference.

Note, that all vulnerabilities can only be exploited by a logged in backend user.

Solution

Updated versions 6.7.0, 7.4.0, 8.3.0 and 9.2.0 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/cs_seo/6.7.0/zip
https://extensions.typo3.org/extension/download/cs_seo/7.4.0/zip
https://extensions.typo3.org/extension/download/cs_seo/8.3.0/zip
https://extensions.typo3.org/extension/download/cs_seo/9.2.0/zip

Users of the extension are advised to update the extension as soon as possible.

Additionally, the TYPO3 Security Team recommends enabling the Content Security Policy (CSP) for the TYPO3 backend user interface in TYPO3 12.4. In TYPO3 13.4, this security feature is enabled by default.

Credits

Thanks to the Swiss NCSC Vulnerability Management Team for reporting the Cross-Site Scripting issue, to TYPO3 Security Team Member Torben Hansen for reporting the IDOR vulnerabilities and to Marc Hirdes  for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface. Note, that the vulnerability can only be exploited by a logged in backend user.

Solution

Updated versions 1.15.17 and 1.16.9 are available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/additional_tca/1.15.17/zip
https://extensions.typo3.org/extension/download/additional_tca/1.16.9/zip

Users of the extension are advised to update the extension as soon as possible.

Additionally, the TYPO3 Security Team recommends enabling the Content Security Policy (CSP) for the TYPO3 backend user interface in TYPO3 12.4. In TYPO3 13.4, this security feature is enabled by default.

Credits

Thanks to the Swiss NCSC Vulnerability Management Team for reporting the issue and to Thomas Deuling for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

A vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The attack can only be exploited if the following requirements are met:

• An attacker can anticipate the email address of the user.
• An attacker can register a public frontend user account using that email address before the user's first OIDC login.
• The IDP returns the field email containing the email address of the user

Solution

An updated versions 4.0.0 is available from the TYPO3 extension manager, packagist and at 
https://extensions.typo3.org/extension/download/oidc/4.0.0/zip

Users of the extension are advised to update the extension as soon as possible.

Important: The fixed version contains a breaking change, because the “username” field has been removed from the OIDC authentication service user lookup. Users relying on this functionality can use the AuthenticationFetchUserEvent to adjust the lookup criteria, but must ensure that the lookup criteria does not include a field name with user-generated content.

Credits

Thanks to Hannes Lau for reporting the issue and to Markus Klein for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

• Component Type: TYPO3 CMS
• Subcomponent: DB Check Module (ext:lowlevel)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
• References: CVE-2024-55945, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “DB Check Module” allows attackers to manipulate data through unauthorized actions.

Solution

Update to TYPO3 versions 11.5.42 ELTS that fixes the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Scheduler (ext:scheduler)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41
• Severity: High
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
• References: CVE-2024-55924, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Scheduler Module” allows attackers to trigger pre-defined command classes - which can lead to unauthorized import or export of data in the worst case.

Solution

Update to TYPO3 versions 11.5.42 ELTS that fixes the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Indexed Search (ext:indexed_search)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• References: CVE-2024-55923, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Indexed Search Module” allows attackers to delete items of the component.

Solution

Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Form Framework (ext:form)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
• References: CVE-2024-55922, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Form Framework Module” allows attackers to manipulate or delete persisted form definitions.

Solution

Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Extension Manager (ext:extensionmanager)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2
• Severity: High
• Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
• References: CVE-2024-55921, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Extension Manager Module” allows attackers to retrieve and install 3rd party extensions from the TYPO3 Extension Repository - which can lead to remote code execution in the worst case.

Solution

Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Dashboard Module (ext:dashboard)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• References: CVE-2024-55920, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Dashboard Module” allows attackers to manipulate the victim’s dashboard configuration.

Solution

Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Backend User Module (ext:beuser)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• References: CVE-2024-55894, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Backend User Module” allows attackers to initiate password resets for other backend users or to terminate their user sessions.

Solution

Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Log Module (ext:belog)
• Release Date: January 14, 2025
• Vulnerability Type: Cross-Site Request Forgery
• Affected Versions: 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• References: CVE-2024-55893, CWE-352, CWE-749

Problem Description

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

• the user opens a malicious link, such as one sent via email.
• the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Log Module” allows attackers to remove log entries.

Solution

Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

In general, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict – which are the default settings.

Extension authors are advised to review and update their codebase accordingly. For further guidance, consult the official documentation on Security Considerations for Backend Modules.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: HTTP URI Component (ext:core)
• Release Date: January 14, 2025
• Vulnerability Type: Open Redirect
• Affected Versions: 9.0.0-9.5.48, 10.0.0-10.4.47, 11.0.0-11.5.41, 12.0.0-12.4.24, 13.0.0-13.4.2
• Severity: Medium
• Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
• References: CVE-2024-55892, CWE-601

Problem Description

Applications that use TYPO3\CMS\Core\Http\Uri to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks.

Solution

Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

Credits

Thanks to Sam Mush and Christian Eßl who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Install Tool (ext:install)
• Release Date: January 14, 2025
• Vulnerability Type: Information Disclosure
• Affected Versions: 13.4.2
• Severity: Low
• Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
• References: CVE-2024-55891, CWE-532

Problem Description

It has been discovered that the Install Tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect.

Solution

Update to TYPO3 versions 13.4.3 LTS that fixes the problem described.

Credits

Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Page Tree (ext:backend)
• Release Date: October 8, 2024
• Vulnerability Type: Information Disclosure
• Affected Versions: 10.0.0-10.4.45, 11.0.0-11.5.39, 12.0.0-12.4.20, 13.0.0-13.3.0
• Severity: Low
• Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
• References: CVE-2024-47780, CWE-863

Problem Description

Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages.

Solution

Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described.

Credits

Thanks to Peter Schuler who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

• Component Type: TYPO3 CMS
• Subcomponent: Bookmark Toolbar (ext:backend)
• Release Date: October 8, 2024
• Vulnerability Type: Denial of Service
• Affected Versions: 10.0.0-10.4.45, 11.0.0-11.5.39, 12.0.0-12.4.20, 13.0.0-13.3.0
• Severity: Low
• Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
• References: CVE-2024-34537, CWE-248, CWE-1286

Problem Description

Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account.

Solution

Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described.

Credits

Thanks to Hendrik Eichner who reported this issue and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Problem Description

The extension fails to validate the “mail” parameter of the “createAction” resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this vulnerability to display user submitted data of all forms persisted by the extension. Note, this vulnerability can only be exploited when following conditions are met:

• The extension is configured to save submitted form data to the database
• The powermail plugin setting “Redirect to any other Page after submit” is not set
• The powermail plugin setting “Text on submit page“ contains the variable “{powermail_all}” or other variables containing sensitive user submitted data.

Solution

Updated versions 7.5.1, 8.5.1, 10.9.1 and 12.4.1 are  available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/powermail/7.5.1/zip
https://extensions.typo3.org/extension/download/powermail/8.5.1/zip
https://extensions.typo3.org/extension/download/powermail/10.9.1/zip
https://extensions.typo3.org/extension/download/powermail/12.4.1/zip
Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Marcus Schwemer for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to validate the “mail” parameter of the “confirmationAction” resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this vulnerability to display user submitted data of all forms persisted by the extension. Note, that this vulnerability can only be exploited, when the extension is configured to save submitted form data to the database (TypoScript constant: plugin.tx_powermail.settings.db.enable = 1), which however is the default setting of the extension.

Several actions  in the “OutputController” can directly be called due to missing or insufficiently implemented access checks resulting in Broken Access Control. Depending on the configuration of the “Powermail Frontend” plugins, an unauthenticated attacker can use this vulnerability to edit, update, delete or export data of persisted forms. Note, that this vulnerability can only be exploited, when the “Powermail Frontend” plugins are used.
 

Solution

Updated versions 7.5.0, 8.5.0, 10.9.0 and 12.4.0 are  available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/powermail/7.5.0/zip
https://extensions.typo3.org/extension/download/powermail/8.5.0/zip
https://extensions.typo3.org/extension/download/powermail/10.9.0/zip 
https://extensions.typo3.org/extension/download/powermail/12.4.0/zip
Users of the extension are advised to update the extension as soon as possible.

Important: The “Export” and “RSS” functionality of the “Powermail Frontend” plugin have been removed without replacement.

Credits

Thanks to Christian Pschorr for reporting the IDOR vulnerability, Security Team Member Oliver Hader for reporting the Broken Access Control issue and to Marcus Schwemer  for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension permits specifying the file extension for uploaded product images. This allows an authenticated admin user to upload a crafted image file with a PHP executable extension, potentially leading to Remote Code Execution (RCE).

The extension does not verify if a specified digital product identifier is authorized for download. This allows an authenticated frontend user to download digital products without completing payment, resulting in an Insecure Direct Object Reference (IDOR) vulnerability.

Solution

Updated versions 22.10.10, 23.10.7 and 24.4.2 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/aimeos/22.10.10/zip
https://extensions.typo3.org/extension/download/aimeos/23.10.7/zip
https://extensions.typo3.org/extension/download/aimeos/24.4.2/zip
Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Norbert Sendetzky for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Problem Description

The extension fails to check the requirement of the captcha field in submitted form data allowing a remote user to bypass the captcha check. This vulnerability only affects the captcha integration for the ext:form extension.

Solution

An updated version 0.1.4 is  available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/friendlycaptcha_official/0.1.4/zip
Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Sebastian Müller for reporting the vulnerability and TYPO3 Core & Security Team member Georg Ringer for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.