TYPO3 CMS Recycler Module Broken Access Control Vulnerability Allowing Unauthorized Record Restoration

A broken access control vulnerability has been identified in the TYPO3 CMS Recycler module. It allows backend users to restore soft-deleted records from pages or tables they do not have permission to modify. This issue affects TYPO3 CMS versions 10.0.0 prior to 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.

Impact

Exploitation of this vulnerability could lead to unauthorized restoration of records, potentially allowing users to manipulate content or data they are not authorized to manage.

Reproduction

To reproduce this vulnerability, a backend user with access to the Recycler module can restore soft-deleted records from pages or tables without the necessary permissions. This can be done by using the DataHandler to undelete records, which will bypass the existing permission checks for the undelete action.

Remediation

Users are advised to update TYPO3 to versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS, all of which include the necessary fix.