Cross-Site-Request-Forgery in Backend

> ### Meta
> * CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (8.2)

Problem

It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery.

The impact is the same as described in TYPO3-CORE-SA-2020-006 (CVE-2020-11069). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system.

To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time.

The following Same-Site cookie settings in $GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite] are required for an attack to be successful:

• SameSite=strict: malicious evil.example.org invoking TYPO3 application at good.example.org* SameSite=lax ornone: maliciousevil.cominvoking TYPO3 application atexample.org

Solution

Update your instance to TYPO3 version 11.5.0 which addresses the problem described.

Credits

Thanks to Richie Lee who reported this issue and to TYPO3 core & security team members Benni Mack and Oliver Hader who fixed the issue.

References

• TYPO3-CORE-SA-2021-014
• CVE-2020-11069 reintroduced in TYPO3 v11.2.0