TYPO3 CMS Form Framework Broken Access Control Vulnerability Allowing Privilege Escalation

A broken access control vulnerability has been identified in the TYPO3 CMS Form Framework (ext:form). Backend users with access to this framework could exploit the vulnerability by using files that do not end with the required .form.yaml extension as form definitions. The system processed these files without rejecting the incorrect extension. Maliciously crafted form definition files could execute arbitrary SQL statements, enabling attackers to escalate privileges by creating administrative backend user accounts. This vulnerability affects TYPO3 CMS versions prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling the creation of administrative backend user accounts.

Reproduction

To reproduce this vulnerability, upload a file with a non-compliant extension as a form definition in the TYPO3 CMS Form Framework. The system will process the file despite the incorrect extension. Once the file is processed, it can be used to execute arbitrary SQL statements, such as those creating administrative user accounts.

Remediation

Users are advised to update TYPO3 to versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS, all of which address this vulnerability.