TYPO3 CMS Field-Level Access Bypass Vulnerability in Edit Document Controller

A broken access control vulnerability has been identified in the TYPO3 CMS Edit Document Controller. This issue allows attackers to bypass field-level access checks during record creation in the TYPO3 backend. By exploiting the 'defVals' parameter, attackers can insert arbitrary data into restricted exclude fields of a database table, provided they already have write permission for a limited set of fields. The vulnerability affects TYPO3 CMS versions 10.0.0 prior to 10.4.54, 11.0.0 prior to 11.5.48, 12.0.0 prior to 12.4.40, 13.0.0 prior to 13.4.22, and 14.0.0 prior to 14.0.1.

Impact

Exploitation of this vulnerability could lead to unauthorized data manipulation, allowing users to inject data into fields they should not have access to, potentially disrupting data integrity and application functionality.

Reproduction

To reproduce this vulnerability, a user with editor privileges can create a new record in the backend. During this process, the 'defVals' parameter can be manipulated to include data for excluded fields that the user is not permitted to modify. This can be done by overriding the default values with data that bypasses the established access controls, particularly for fields marked as read-only or disabled in the TCEFORM configuration.

Remediation

Users are advised to update TYPO3 to versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, or 14.0.2, all of which address this vulnerability.