TYPO3 Form Framework Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the TYPO3 Form Framework Module, affecting versions 10.0.0 through 10.4.47, 11.0.0 through 11.5.41, 12.0.0 through 12.4.24, and 13.0.0 through 13.4.2. The vulnerability arises from the backend user interface's deep link functionality, which improperly accepts state-changing actions via HTTP GET, lacking the necessary enforcement of correct HTTP methods. Exploitation requires the victim to have an active backend session and to be tricked into clicking a malicious link, particularly under conditions where the 'security.backend.enforceReferrer' feature is disabled and the 'BE/cookieSameSite' setting is lax or absent. Successful exploitation allows attackers to manipulate or delete saved form definitions.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation or deletion of form definitions within the TYPO3 Form Framework Module.

Remediation

Users are advised to update TYPO3 to versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS. Extension authors should review and update their codebases accordingly. For more guidance, consult the official TYPO3 documentation on Security Considerations for Backend Modules.