CVE-2024-55945: 
PHP vulnerability analysis and mitigation

TYPO3, a free and open source Content Management Framework, has been identified with a vulnerability (CVE-2024-55945) in its backend user interface functionality involving deep links. The vulnerability was discovered and disclosed on January 14, 2025, affecting TYPO3 versions 11.0.0-11.5.41. The issue specifically impacts the DB Check Module component of the system (TYPO3 Advisory).

The vulnerability is primarily a Cross-Site Request Forgery (CSRF) issue, combined with incorrect handling of HTTP methods in downstream components. The system incorrectly accepted submissions via HTTP GET and failed to enforce appropriate HTTP methods. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. The weakness has been categorized under CWE-352 (Cross-Site Request Forgery) and CWE-749 (Exposed Dangerous Method or Function) (GitHub Advisory).

The vulnerability allows attackers to manipulate data through unauthorized actions in the DB Check Module. Successful exploitation requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 version 11.5.42 ELTS. Users are advised to update to this version. Additionally, it is recommended to keep the security.backend.enforceReferrer feature enabled and set BE/cookieSameSite to strict, which are the default settings. Extension authors are advised to review and update their codebase accordingly (TYPO3 Advisory).

The vulnerability was responsibly disclosed and addressed with contributions from TYPO3 core and security members including Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, and Elias Häußler. The initial discovery credit goes to Gabriel Dimitrov (TYPO3 Advisory).