SB2025011571 - Multiple vulnerabilities in TYPO3
Published: January 15, 2025 Updated: January 15, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2024-55945)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in DB Check module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-55891)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files within Exception Handling/Logger. A remote user can read the log files and gain access to sensitive data.
3) Open redirect (CVE-ID: CVE-2024-55892)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data within Parsing Differences. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
4) Cross-site request forgery (CVE-ID: CVE-2024-55893)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Log module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
5) Cross-site request forgery (CVE-ID: CVE-2024-55894)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Backend User module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
6) Cross-site request forgery (CVE-ID: CVE-2024-55920)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Dashboard module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
7) Cross-site request forgery (CVE-ID: CVE-2024-55921)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Extension Manager module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
8) Cross-site request forgery (CVE-ID: CVE-2024-55922)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Form Framework module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
9) Cross-site request forgery (CVE-ID: CVE-2024-55923)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Indexed Search module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
10) Cross-site request forgery (CVE-ID: CVE-2024-55924)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Scheduler module. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Remediation
Install update from vendor's website.
References
- https://github.com/TYPO3/typo3/security/advisories/GHSA-8mv3-37rc-pvxj
- https://typo3.org/security/advisory/typo3-core-sa-2025-010
- https://typo3.org/security/advisory/typo3-core-sa-2025-010/
- https://github.com/TYPO3/typo3/security/advisories/GHSA-38x7-cc6w-j27q
- https://typo3.org/security/advisory/typo3-core-sa-2025-001
- https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr
- https://typo3.org/security/advisory/typo3-core-sa-2025-002
- https://github.com/TYPO3/typo3/security/advisories/GHSA-cjfr-9f5r-3q93
- https://typo3.org/security/advisory/typo3-core-sa-2025-003
- https://github.com/TYPO3/typo3/security/advisories/GHSA-6w4x-gcx3-8p7v
- https://typo3.org/security/advisory/typo3-core-sa-2025-004
- https://github.com/TYPO3/typo3/security/advisories/GHSA-qwx7-39pw-2mhr
- https://typo3.org/security/advisory/typo3-core-sa-2025-005
- https://github.com/TYPO3/typo3/security/advisories/GHSA-4g52-pq8j-6qv5
- https://typo3.org/security/advisory/typo3-core-sa-2025-006
- https://typo3.org/security/advisory/typo3-core-sa-2025-006/
- https://github.com/TYPO3/typo3/security/advisories/GHSA-ww7h-g2qf-7xv6
- https://typo3.org/security/advisory/typo3-core-sa-2025-007
- https://typo3.org/security/advisory/typo3-core-sa-2025-007/
- https://github.com/TYPO3/typo3/security/advisories/GHSA-7r5q-4qgx-v545
- https://typo3.org/security/advisory/typo3-core-sa-2025-008
- https://typo3.org/security/advisory/typo3-core-sa-2025-008/
- https://github.com/TYPO3/typo3/security/advisories/GHSA-7835-fcv3-g256
- https://typo3.org/security/advisory/typo3-core-sa-2025-009
- https://typo3.org/security/advisory/typo3-core-sa-2025-009/