Multiple vulnerabilities in TYPO3
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2024-55945 CVE-2024-55891 CVE-2024-55892 CVE-2024-55893 CVE-2024-55894 CVE-2024-55920 CVE-2024-55921 CVE-2024-55922 CVE-2024-55923 CVE-2024-55924 |
| CWE-ID | CWE-352 CWE-532 CWE-601 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
TYPO3 Web applications / CMS |
| Vendor | TYPO3 |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Cross-site request forgery
EUVDB-ID: #VU102807
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55945
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in DB Check module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 11.5.0 - 11.5.41
CPE2.3 External linkshttps://github.com/TYPO3/typo3/security/advisories/GHSA-8mv3-37rc-pvxj
https://typo3.org/security/advisory/typo3-core-sa-2025-010
https://typo3.org/security/advisory/typo3-core-sa-2025-010/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU102816
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55891
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files within Exception Handling/Logger. A remote user can read the log files and gain access to sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 13.4.2
CPE2.3 External linkshttps://github.com/TYPO3/typo3/security/advisories/GHSA-38x7-cc6w-j27q
https://typo3.org/security/advisory/typo3-core-sa-2025-001
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Open redirect
EUVDB-ID: #VU102815
Risk: Medium
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-55892
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data within Parsing Differences. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 9.0.0 - 13.4.2
CPE2.3 External linkshttps://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr
https://typo3.org/security/advisory/typo3-core-sa-2025-002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site request forgery
EUVDB-ID: #VU102814
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55893
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Log module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 10.0.0 - 13.4.2
CPE2.3https://github.com/TYPO3/typo3/security/advisories/GHSA-cjfr-9f5r-3q93
https://typo3.org/security/advisory/typo3-core-sa-2025-003
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site request forgery
EUVDB-ID: #VU102813
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55894
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Backend User module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 10.0.0 - 13.4.2
CPE2.3https://github.com/TYPO3/typo3/security/advisories/GHSA-6w4x-gcx3-8p7v
https://typo3.org/security/advisory/typo3-core-sa-2025-004
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site request forgery
EUVDB-ID: #VU102812
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55920
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Dashboard module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 11.0.0 - 13.4.2
CPE2.3https://github.com/TYPO3/typo3/security/advisories/GHSA-qwx7-39pw-2mhr
https://typo3.org/security/advisory/typo3-core-sa-2025-005
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site request forgery
EUVDB-ID: #VU102811
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55921
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Extension Manager module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 11.0.0 - 13.4.2
CPE2.3https://github.com/TYPO3/typo3/security/advisories/GHSA-4g52-pq8j-6qv5
https://typo3.org/security/advisory/typo3-core-sa-2025-006
https://typo3.org/security/advisory/typo3-core-sa-2025-006/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site request forgery
EUVDB-ID: #VU102810
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55922
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Form Framework module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 11.0.0 - 13.4.2
CPE2.3https://github.com/TYPO3/typo3/security/advisories/GHSA-ww7h-g2qf-7xv6
https://typo3.org/security/advisory/typo3-core-sa-2025-007
https://typo3.org/security/advisory/typo3-core-sa-2025-007/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Cross-site request forgery
EUVDB-ID: #VU102809
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55923
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Indexed Search module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 11.0.0 - 13.4.2
CPE2.3https://github.com/TYPO3/typo3/security/advisories/GHSA-7r5q-4qgx-v545
https://typo3.org/security/advisory/typo3-core-sa-2025-008
https://typo3.org/security/advisory/typo3-core-sa-2025-008/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cross-site request forgery
EUVDB-ID: #VU102808
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55924
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Scheduler module. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTYPO3: 11.5.0 - 11.5.41
CPE2.3https://github.com/TYPO3/typo3/security/advisories/GHSA-7835-fcv3-g256
https://typo3.org/security/advisory/typo3-core-sa-2025-009
https://typo3.org/security/advisory/typo3-core-sa-2025-009/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
