GoogleOSV:GHSA-657M-V5VM-F6RWCross-Site-Request-Forgery in Backend
0.002 Low
EPSS
Percentile
60.3%
> ### Meta
> * CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (8.2)
Problem
It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery.
The impact is the same as described in TYPO3-CORE-SA-2020-006 (CVE-2020-11069). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system.
To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time.
The following Same-Site cookie settings in $GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite] are required for an attack to be successful:
- SameSite=strict: malicious evil.example.org invoking TYPO3 application at good.example.org* SameSite=lax ornone: maliciousevil.cominvoking TYPO3 application atexample.org
Solution
Update your instance to TYPO3 version 11.5.0 which addresses the problem described.
Credits
Thanks to Richie Lee who reported this issue and to TYPO3 core & security team members Benni Mack and Oliver Hader who fixed the issue.
References
- TYPO3-CORE-SA-2021-014
- CVE-2020-11069 reintroduced in TYPO3 v11.2.0
References
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-41113.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-41113.yaml
github.com/TYPO3/typo3
github.com/TYPO3/typo3/commit/fa51999203c5e5d913ecae5ea843ccb2b95fa33f
github.com/TYPO3/typo3/security/advisories/GHSA-657m-v5vm-f6rw
nvd.nist.gov/vuln/detail/CVE-2020-11069
nvd.nist.gov/vuln/detail/CVE-2021-41113
typo3.org/security/advisory/typo3-core-sa-2020-006
typo3.org/security/advisory/typo3-core-sa-2021-014
Related
