CVE-2024-55923: 
PHP vulnerability analysis and mitigation

TYPO3, a free and open source Content Management Framework, has identified a vulnerability (CVE-2024-55923) in its backend user interface functionality involving deep links. The vulnerability was disclosed on January 14, 2025, affecting TYPO3 versions 11.0.0-11.5.41, 12.0.0-12.4.24, and 13.0.0-13.4.2. This security issue primarily involves Cross-Site Request Forgery (CSRF) susceptibility in the backend user interface (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from state-changing actions in downstream components that incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. The issue specifically affects the Indexed Search Module component. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The weakness has been categorized under CWE-352 (Cross-Site Request Forgery) and CWE-749 (Exposed Dangerous Method or Function) (GitHub Advisory).

Successful exploitation of this vulnerability allows attackers to delete items within the Indexed Search Module component. The attack can only be executed when the victim has an active session on the backend user interface and is deceived into interacting with a malicious URL targeting the backend (TYPO3 Advisory).

Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS which contain the fix. Additionally, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict, which are the default settings. Extension authors are advised to review and update their codebase accordingly (TYPO3 Advisory).