Same-Origin Request Forgery to Backend User Interface

ID TYPO3-CORE-SA-2020-006
Type typo3
Reporter TYPO3 Association
Modified 2020-05-12T00:00:00


It has been discovered that the backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims’ user session.