Open Redirect Affecting typo3/cms-core package, versions >=9.0.0, <9.5.49>=10.0.0, <10.4.48>=11.0.0, <11.5.42>=12.0.0, <12.4.25>=13.0.0, <13.4.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-TYPO3CMSCORE-8623374
- published15 Jan 2025
- disclosed14 Jan 2025
- creditSam Mush and Christian Eßl
Introduced: 14 Jan 2025
NewCVE-2024-55892 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade typo3/cms-core to version 9.5.49, 10.4.48, 11.5.42, 12.4.25, 13.4.3 or higher.
Overview
typo3/cms-core is a free open source enterprise content management system.
Affected versions of this package are vulnerable to Open Redirect via the Uri parsing functionality. An attacker can redirect users to malicious websites or potentially initiate server-side request forgery attacks by manipulating the URL parameters that pass the initial validation checks.
Note:
This is only exploitable if the application uses TYPO3\CMS\Core\Http\Uri to validate and redirect based on external URL inputs.