CVE-2024-55924: 
PHP vulnerability analysis and mitigation

TYPO3, a free and open source Content Management Framework, disclosed a vulnerability (CVE-2024-55924) in its backend user interface functionality on January 14, 2025. The vulnerability involves deep links and is susceptible to Cross-Site Request Forgery (CSRF). The issue affects TYPO3 versions 11.0.0-11.5.41, specifically in the Scheduler Module component (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from state-changing actions in downstream components that incorrectly accepted submissions via HTTP GET and failed to enforce appropriate HTTP methods. The CVSS v3.1 base score is 8.0 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and CWE-749 (Exposed Dangerous Method or Function) (GitHub Advisory).

The vulnerability in the affected Scheduler Module component allows attackers to trigger pre-defined command classes, which can lead to unauthorized import or export of data in the worst case. This impact occurs when an attacker successfully exploits the vulnerability through the backend user interface (TYPO3 Advisory).

Users are advised to update to TYPO3 version 11.5.42 ELTS which fixes the vulnerability. Additionally, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict, which are the default settings. Extension authors are advised to review and update their codebase accordingly (TYPO3 Advisory).