Vulnerability Lookup

🛡️ CVE-2024-55894

🟡 CVSS 4.3 — Medium ✅ No Known Exploit CWE-352 NVD

4.3

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Backend User Module” allows attackers to initiate password resets for other backend users or to terminate their user sessions. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described.

Details

Severity MEDIUM

CVSS Score 4.3

CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE CWE-352

Public Exploit ✅ No

Source NVD

Published 2025-01-14

Updated 2026-06-15

Modified 2025-08-26

Fix URL https://github.com/TYPO3-CMS/beuser/commit/18603efc3a66d3255fdd04eb6bda6b4d6a95abea

Affected Packages

Software	From version	Fixed in
typo3	13.0.0	13.4.3
typo3/cms-beuser	13.0.0	13.4.3

References

Patch https://github.com/TYPO3-CMS/beuser/commit/18603efc3a66d3255fdd04eb6bda6b4d6a95abea

Patch https://github.com/TYPO3-CMS/beuser/commit/1bb317cb2bc0b2f6ba4f758a088f060b36c67f9d

Patch https://github.com/TYPO3-CMS/beuser/commit/4142112a878f8805234729751bc6b9c0091560ab

Vendor Advisory https://github.com/TYPO3/typo3/security/advisories/GHSA-6w4x-gcx3-8p7v

Vendor Advisory https://typo3.org/security/advisory/typo3-core-sa-2025-004

🔗 NVD 🔗 Mitre ✅ Fix / Advisory

Similar Threats

Free Vulnerability Check

Is your WordPress site affected?

BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.

Scan My Site Free →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Is your WordPress site affected?

Company

Resources

Services

Trusted

Subscribe