TYPO3 Backend User Module Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the TYPO3 backend user interface, specifically within the user module of the 'beuser' extension. This issue arises because deep link functionality does not properly validate HTTP methods, allowing state-changing actions to be exploited. To successfully exploit this vulnerability, a user must have an active backend session and be tricked into clicking a malicious link. This exploitation is facilitated by certain misconfigurations, such as disabling the 'security.backend.enforceReferrer' feature and setting the 'BE/cookieSameSite' configuration to 'lax' or 'none'. Once exploited, attackers can initiate password resets for other backend users or terminate their sessions.

Impact

Exploitation allows attackers to perform actions on behalf of the victim, such as resetting passwords or ending user sessions, which could disrupt workflow or lead to unauthorized access.

Reproduction

To reproduce this vulnerability, a user must be logged into the TYPO3 backend with an active session. They should then be deceived into clicking a malicious link that exploits the CSRF vulnerability, targeting the backend user module. This can be done by sending an email with a link that initiates a password reset or session termination for another user, taking advantage of the vulnerable HTTP GET method acceptance.

Remediation

Users are advised to update TYPO3 to versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS, all of which address this vulnerability. Additionally, it is recommended to keep the 'security.backend.enforceReferrer' feature enabled and set 'BE/cookieSameSite' to 'strict', which are the default settings.