TYPO3 CMS Form Framework Privilege Escalation and SQL Injection Vulnerability

A vulnerability in the TYPO3 CMS Form Framework (ext:form) allows backend users with write access to the form_definition database table to bypass persistence validation and permission checks. This is achieved by directly manipulating form definition records through the DataHandler. The exploitation of this vulnerability enables the injection of arbitrary form configurations, potentially reintroducing previously addressed attack vectors, such as SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0 prior to 14.3.3.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation and SQL injection, allowing attackers to manipulate database queries and potentially execute malicious SQL commands.

Reproduction

To reproduce this vulnerability, a backend user with write access to the form_definition table can use the TYPO3 DataHandler to create, update, or delete form definition records. This process bypasses the Form Framework's built-in validation and permission checks. Once the records are manipulated, the injected form configurations can be exploited to escalate privileges or execute SQL injection attacks.

Remediation

Users are advised to update TYPO3 to version 14.3.3 LTS, which addresses this vulnerability by re-implementing the necessary guards and validation checks for form definitions.