TYPO3 CMS Recycler Module Broken Access Control Vulnerability Allowing Arbitrary Data Deletion

A broken access control vulnerability has been identified in the TYPO3 CMS Recycler module (ext:recycler), affecting versions 10.0.0 prior to 10.4.54, 11.0.0 prior to 11.5.48, 12.0.0 prior to 12.4.40, 13.0.0 prior to 13.4.22, and 14.0.0 through 14.0.1. This vulnerability allows backend users with access to the recycler module to delete arbitrary data from any database table defined in the TCA, regardless of their permissions for those tables. Exploitation of this vulnerability could lead to the purging of critical site data, causing the website to become unavailable.

Impact

Successful exploitation allows for the unauthorized deletion of records from any database table defined in the TCA, potentially including critical site data, which could render the website unavailable.

Reproduction

To reproduce this vulnerability, a backend user must have access to the recycler module and the 'mod.recycler.allowDelete' TSconfig option must be set to '1'. The user can then delete records from any database table without the necessary permissions.

Remediation

Update TYPO3 to versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, or 14.0.2.