TYPO3 Cross-Site Request Forgery Vulnerability in DB Check Module

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in TYPO3 versions 11.0.0 through 11.5.41. This issue arises in the backend user interface, specifically within the DB Check Module, which is part of the TYPO3 CMS low-level extensions. The vulnerability allows attackers to perform unauthorized data manipulations by exploiting state-changing actions that improperly accept HTTP GET submissions instead of the required HTTP methods. Successful exploitation necessitates that the victim has an active backend session and is tricked into clicking a malicious link that targets the backend. This can happen if the 'security.backend.enforceReferrer' feature is turned off and the 'BE/cookieSameSite' setting is configured to 'lax' or 'none'.

Impact

Exploitation of this vulnerability could lead to unauthorized data manipulation within the TYPO3 backend, specifically through the DB Check Module.

Remediation

Users are advised to update TYPO3 to version 11.5.42 ELTS, which addresses this vulnerability. Extension authors should review and update their codebases accordingly. For more guidance, consult the official TYPO3 documentation on Security Considerations for Backend Modules.