Cross-site Request Forgery (CSRF) Affecting typo3/cms-extensionmanager package, versions >=10.0.0, <10.4.48>=11.0.0, <11.5.42>=12.0.0, <12.4.25>=13.0.0, <13.4.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-TYPO3CMSEXTENSIONMANAGER-8622967
- published15 Jan 2025
- disclosed14 Jan 2025
- creditGabriel Dimitrov
Introduced: 14 Jan 2025
NewCVE-2024-55921 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade typo3/cms-extensionmanager to version 10.4.48, 11.5.42, 12.4.25, 13.4.3 or higher.
Overview
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the backend user interface functionality involving deep links. An attacker can manipulate the session and perform unauthorized actions.
Note:
This is only exploitable if the security.backend.enforceReferrer feature is disabled and the BE/cookieSameSite configuration is set to lax or none.