4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-55945

GHSA ID

GHSA-8mv3-37rc-pvxj

EPSS Score

0.05589%

CWE

CWE-352

Published

1/14/2025

Updated

1/14/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-55945

CVE-2024-55945: TYPO3 DB Check Module vulnerable to Cross-Site Request Forgery

Problem

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

the user opens a malicious link, such as one sent via email.
the user visits a compromised or manipulated website while the following settings are misconfigured:
- security.backend.enforceReferrer feature is disabled,
- BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “DB Check Module” allows attackers to manipulate data through unauthorized actions.

Solution

Update to TYPO3 versions 11.5.42 ELTS that fixes the problem described.

Credits

Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

References

TYPO3-CORE-SA-2025-010

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-55945

GHSA ID

GHSA-8mv3-37rc-pvxj

EPSS Score

0.05589%

CWE

CWE-352

Published

1/14/2025

Updated

1/14/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-lowlevel	composer	>= 11.0.0, <= 11.5.41	11.5.42

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on state-changing actions in the DB Check Module (ext:lowlevel) accepting HTTP GET requests without CSRF protection. TYPO3 backend controllers typically implement actions via Extbase, where methods like checkAction and fixAction would handle database operations. The CWE-749 (exposed dangerous methods) and CWE-352 (CSRF) align with these functions if they lack HTTP method enforcement (@TYPO3\CMS\Extbase\Annotation\IgnoreValidation is insufficient) and CSRF token validation. The DatabaseIntegrityController is the logical component for these operations, and the vulnerability description explicitly references improper HTTP method handling in downstream components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Pro*l*m * vuln*r**ility **s ***n i**nti*i** in t** ***k*n* us*r int*r**** *un*tion*lity involvin* ***p links. Sp**i*i**lly, t*is *un*tion*lity is sus**pti*l* to *ross-Sit* R*qu*st *or**ry (*SR*). ***ition*lly, st*t*-***n*in* **tions in *ownstr**m

Reasoning

T** vuln*r**ility **nt*rs on st*t*-***n*in* **tions in t** ** ****k Mo*ul* (*xt:lowl*v*l) ****ptin* `*TTP` **T r*qu*sts wit*out *SR* prot**tion. `TYPO*` ***k*n* *ontroll*rs typi**lly impl*m*nt **tions vi* `*xt**s*`, w**r* m*t*o*s lik* `****k**tion` *

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-55945: TYPO3 DB Check Module vulnerable to Cross-Site Request Forgery

Problem

Solution

Credits

References

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI