CVE-2024-55921

High

Published: 14 January 2025

Published

14 January 2025

Modified

26 August 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0289 86.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55921 is a high-severity CSRF (CWE-352) vulnerability in Typo3 Typo3. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and application of official TYPO3 patches (11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS) to remediate the CSRF flaw.

SC-23 Session Authenticity good match

prevent

Protects session authenticity in the TYPO3 backend against CSRF exploitation via mechanisms like anti-CSRF tokens for state-changing deep link actions.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings such as enabling security.backend.enforceReferrer and setting BE/cookieSameSite to strict, preventing exploitation under the specified misconfigurations.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

CSRF on authenticated backend deep links is triggered via malicious URL (spearphishing link + user execution); successful exploitation installs arbitrary extensions that achieve RCE via server software component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components…

incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Extension Manager Module” allows attackers to retrieve and install 3rd party extensions from the TYPO3 Extension Repository - which can lead to remote code execution in the worst case. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described.

Deeper analysisAI

CVE-2024-55921 is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352 and CWE-749 in the backend user interface of TYPO3, a free and open-source Content Management Framework. The issue affects deep link functionality, where state-changing actions in downstream components, such as the Extension Manager Module, incorrectly accept submissions via HTTP GET requests without enforcing the proper HTTP method. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on January 14, 2025.

Exploitation requires the victim to have an active authenticated session in the TYPO3 backend and to be socially engineered into interacting with a malicious URL. Attackers can deliver this via email links or by luring users to compromised or manipulated websites, provided specific misconfigurations exist: the security.backend.enforceReferrer feature is disabled and the BE/cookieSameSite setting is lax or none. Successful attacks on the Extension Manager Module enable retrieval and installation of arbitrary third-party extensions from the TYPO3 Extension Repository, potentially leading to remote code execution.

The official TYPO3 security advisories (TYPO3 Core SA-2025-006 and GitHub GHSA-4g52-pq8j-6qv5) recommend updating to fixed versions 11.5.42 ELTS, 12.4.25 LTS, or 13.4.3 LTS to mitigate the vulnerability.

Details

CWE(s): CWE-352 CWE-749

Affected Products

typo3

10.0.0 — 10.4.48 · 11.0.0 — 11.5.42 · 12.0.0 — 12.4.25

CVEs Like This One

CVE-2024-55924Same product: Typo3 Typo3

CVE-2026-0859Same product: Typo3 Typo3

CVE-2025-59022Same product: Typo3 Typo3

CVE-2024-13250Same product class: CMS core

CVE-2026-40488Same product class: CMS core

CVE-2025-24406Same product class: CMS core

CVE-2024-13668Same product class: CMS core

CVE-2024-40748Same product class: CMS core

CVE-2025-24416Same product class: CMS core

CVE-2026-21289Same product class: CMS core

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-4g52-pq8j-6qv5
Vendor Advisory · security-advisories@github.com
https://typo3.org/security/advisory/typo3-core-sa-2025-006
Vendor Advisory · security-advisories@github.com