TYPO3 Extension Manager Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the TYPO3 backend user interface, specifically within the Extension Manager Module. This issue arises because state-changing actions in downstream components improperly accepted submissions via HTTP GET, failing to enforce the correct HTTP method. Exploitation requires the victim to have an active session in the backend and to be tricked into clicking a malicious link that targets the backend. This could happen if the user opens a harmful link, such as one sent through email, or visits a compromised website with certain misconfigurations: the 'security.backend.enforceReferrer' feature turned off, and the 'BE/cookieSameSite' setting set to 'lax' or 'none'. The vulnerability allows attackers to access and install third-party extensions from the TYPO3 Extension Repository, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability could allow attackers to perform state-changing actions in the TYPO3 backend, specifically through the Extension Manager Module, which could lead to remote code execution.

Remediation

Users are advised to update TYPO3 to versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS. Extension authors should review and update their codebases accordingly. For more guidance, consult the official TYPO3 documentation on Security Considerations for Backend Modules.