TYPO3 Cross-Site Request Forgery Vulnerability in Scheduler Module

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in TYPO3 versions 11.0.0 through 11.5.41, specifically within the backend user interface's deep link functionality. This issue arises because state-changing actions in the downstream 'Scheduler Module' improperly accepted submissions via HTTP GET, failing to enforce the correct HTTP method. Exploitation requires the victim to have an active backend session and to be tricked into clicking a malicious link, particularly under conditions where the 'security.backend.enforceReferrer' feature is disabled and the 'BE/cookieSameSite' configuration is set to lax or none. Successful exploitation allows attackers to trigger predefined command classes in the Scheduler Module, potentially leading to unauthorized data import or export.

Impact

Exploitation of this vulnerability could result in Cross-Site Request Forgery, allowing attackers to perform actions on behalf of the victim user in the TYPO3 backend.

Remediation

Users are advised to update TYPO3 to version 11.5.42 ELTS, which addresses this vulnerability. Extension authors should review and update their codebases accordingly.