TYPO3 Log Module Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the TYPO3 backend user interface, specifically within the Log Module of the belog extension. This issue arises because state-changing actions in the Log Module improperly accepted HTTP GET requests without enforcing the correct HTTP method. Exploitation requires the victim to have an active backend session and to be tricked into clicking a malicious link that targets the backend. This can happen if the user opens a harmful link, such as one sent via email, or visits a compromised website while certain security settings are misconfigured. The vulnerability allows attackers to delete log entries.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of log entries in the TYPO3 Log Module.

Reproduction

To reproduce this vulnerability, a user must have an active session in the TYPO3 backend and be lured into clicking a malicious link that exploits the CSRF vulnerability. This can be done by sending an email with a harmful link or by directing the user to a compromised website that takes advantage of misconfigured TYPO3 settings. The specific settings that need to be misconfigured are 'security.backend.enforceReferrer' disabled, and 'BE/cookieSameSite' set to lax or none.

Remediation

Users are advised to update TYPO3 to versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS, all of which address this vulnerability. Extension authors should review and update their codebases accordingly.