Primary

Context

TYPO3 Dashboard Module Cross-Site Request Forgery Vulnerability

Vulnerability

Patched

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the TYPO3 backend user interface, specifically within the Dashboard Module. This issue arises from deep link functionality that improperly accepts state-changing actions via HTTP GET, lacking the necessary enforcement of correct HTTP methods. Exploitation requires the victim to have an active backend session and to be misled into clicking a malicious link, particularly under conditions where the 'security.backend.enforceReferrer' feature is turned off and the 'BE/cookieSameSite' setting is lax or absent.

Impact

Exploitation allows attackers to manipulate the victim's dashboard configuration within TYPO3.

Remediation

Users are advised to update TYPO3 to versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS. Extension authors should review and update their codebases accordingly.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TYPO3 Dashboard Module Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

TYPO3 CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating