CVE-2024-55922: 
PHP vulnerability analysis and mitigation

TYPO3, a free and open source Content Management Framework, disclosed a vulnerability (CVE-2024-55922) in its backend user interface functionality on January 14, 2025. The vulnerability involves deep links and is susceptible to Cross-Site Request Forgery (CSRF), affecting versions 10.0.0-10.4.47, 11.0.0-11.5.41, 12.0.0-12.4.24, and 13.0.0-13.4.2 (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from state-changing actions in downstream components incorrectly accepting submissions via HTTP GET and not enforcing appropriate HTTP methods. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and CWE-749 (Exposed Dangerous Method or Function) (GitHub Advisory).

The vulnerability in the affected downstream component 'Form Framework Module' allows attackers to manipulate or delete persisted form definitions. The impact is limited to scenarios where users have an active backend session and are deceived into interacting with malicious URLs (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, and 13.4.3 LTS. It is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict, which are the default settings. Extension authors are advised to review and update their codebase accordingly (TYPO3 Advisory).