high
8.8
CWE
352 309
Advisory Published
CVE Published
Updated

CVE-2021-41113: Cross-Site-Request-Forgery in Backend URI Handling in Typo3

First published: Tue Oct 05 2021(Updated: )

> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2) ### Problem It has been discovered that the new TYPO3 v11 feature that allows users to create and share [deep links in the backend user interface](https://typo3.org/article/typo3-version-112-escape-the-orbit#c12178) is vulnerable to cross-site-request-forgery. The impact is the same as described in [TYPO3-CORE-SA-2020-006 (CVE-2020-11069)](https://typo3.org/security/advisory/typo3-core-sa-2020-006). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system. To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. The following [Same-Site cookie settings](https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/8.7.x/Feature-90351-ConfigureTYPO3-shippedCookiesWithSameSiteFlag.html) in _$GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite]_ are required for an attack to be successful: * _SameSite=_***strict***: malicious evil.**example.org** invoking TYPO3 application at good.**example.org** * _SameSite=_***lax*** or ***none***: malicious **evil.com** invoking TYPO3 application at **example.org** ### Solution Update your instance to TYPO3 version 11.5.0 which addresses the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 core & security team members Benni Mack and Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2021-014](https://typo3.org/security/advisory/typo3-core-sa-2021-014) * [CVE-2020-11069](https://nvd.nist.gov/vuln/detail/CVE-2020-11069) reintroduced in TYPO3 v11.2.0

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/typo3/cms-core>=11.2.0<11.5.0
composer/typo3/cms>=11.2.0<11.5.0
Typo3 Typo3>=11.2.0<11.5.0
composer/typo3/cms>=11.2.0<11.5.0
11.5.0
composer/typo3/cms-core>=11.2.0<11.5.0
11.5.0
>=11.2.0<11.5.0

Remedy

https://github.com/TYPO3/typo3/commit/fa51999203c5e5d913ecae5ea843ccb2b95fa33f

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2021-41113?

    CVE-2021-41113 is a Cross-Site-Request-Forgery vulnerability in TYPO3's backend URI handling.

  • How does CVE-2021-41113 affect TYPO3?

    CVE-2021-41113 affects TYPO3 v11 versions 11.2.0 up to 11.5.0.

  • What is the severity of CVE-2021-41113?

    CVE-2021-41113 has a severity of 8.8 (high).

  • How can I fix CVE-2021-41113?

    To fix CVE-2021-41113, update TYPO3 to a version beyond 11.5.0 and apply the necessary patches.

  • Where can I find more information about CVE-2021-41113?

    You can find more information about CVE-2021-41113 on the TYPO3 Security Advisory page at https://typo3.org/security/advisory/typo3-core-sa-2021-014.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203