Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-55924

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-14 Jan, 2025 | 19:16
Updated At-15 Jan, 2025 | 15:02
Rejected At-
Credits

Cross-Site Request Forgery in Scheduler Module in TYPO3

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Scheduler Module” allows attackers to trigger pre-defined command classes - which can lead to unauthorized import or export of data in the worst case. Users are advised to update to TYPO3 versions 11.5.42 ELTS which fixes the problem described. There are no known workarounds for this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:14 Jan, 2025 | 19:16
Updated At:15 Jan, 2025 | 15:02
Rejected At:
▼CVE Numbering Authority (CNA)
Cross-Site Request Forgery in Scheduler Module in TYPO3

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Scheduler Module” allows attackers to trigger pre-defined command classes - which can lead to unauthorized import or export of data in the worst case. Users are advised to update to TYPO3 versions 11.5.42 ELTS which fixes the problem described. There are no known workarounds for this vulnerability.

Affected Products
Vendor
TYPO3 AssociationTYPO3
Product
typo3
Versions
Affected
  • >= 11.0.0, < 11.5.42
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352: Cross-Site Request Forgery (CSRF)
CWECWE-749CWE-749: Exposed Dangerous Method or Function
Type: CWE
CWE ID: CWE-352
Description: CWE-352: Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-749
Description: CWE-749: Exposed Dangerous Method or Function
Metrics
VersionBase scoreBase severityVector
3.18.0HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/TYPO3/typo3/security/advisories/GHSA-7835-fcv3-g256
x_refsource_CONFIRM
https://typo3.org/security/advisory/typo3-core-sa-2025-009
x_refsource_MISC
Hyperlink: https://github.com/TYPO3/typo3/security/advisories/GHSA-7835-fcv3-g256
Resource:
x_refsource_CONFIRM
Hyperlink: https://typo3.org/security/advisory/typo3-core-sa-2025-009
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:14 Jan, 2025 | 20:15
Updated At:26 Aug, 2025 | 19:35

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Scheduler Module” allows attackers to trigger pre-defined command classes - which can lead to unauthorized import or export of data in the worst case. Users are advised to update to TYPO3 versions 11.5.42 ELTS which fixes the problem described. There are no known workarounds for this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.0HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CPE Matches
TYPO3 Association
typo3
>>typo3>>Versions from 11.0.0(inclusive) to 11.5.42(exclusive)
cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarysecurity-advisories@github.com
CWE-749Primarysecurity-advisories@github.com
CWE ID: CWE-352
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-749
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/TYPO3/typo3/security/advisories/GHSA-7835-fcv3-g256security-advisories@github.com
Vendor Advisory
https://typo3.org/security/advisory/typo3-core-sa-2025-009security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/TYPO3/typo3/security/advisories/GHSA-7835-fcv3-g256
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://typo3.org/security/advisory/typo3-core-sa-2025-009
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

64Records found
CVE-2017-7571
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.29% / 52.06%
||
7 Day CHG~0.00%
Published-06 Apr, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtaining admin privileges.

Action-Not Available
Vendor-ladybirdwebn/a
Product-faveo_helpdeskn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-20593
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.12% / 30.97%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 22:35
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account.

Action-Not Available
Vendor-rockoan/a
Product-rockoan/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-21366
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.06% / 18.70%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 00:00
Updated-10 Dec, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery vulnerability in GreenCMS v.2.3 allows an attacker to gain privileges via the adduser function of index.php.

Action-Not Available
Vendor-njtechn/a
Product-greencmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-18458
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.11% / 30.88%
||
7 Day CHG~0.00%
Published-12 Aug, 2021 | 18:02
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability exists in DamiCMS v6.0.6 that can add an admin account via admin.php?s=/Admin/doadd.

Action-Not Available
Vendor-damicmsn/a
Product-damicmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1891
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.51%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 23:31
Updated-26 Aug, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
shishuocms cross-site request forgery

A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-qzw1210n/a
Product-shishuocmsshishuocms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2020-13658
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.14% / 34.95%
||
7 Day CHG~0.00%
Published-29 Sep, 2020 | 18:52
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Lansweeper 8.0.130.17, the web console is vulnerable to a CSRF attack that would allow a low-level Lansweeper user to elevate their privileges within the application.

Action-Not Available
Vendor-lansweepern/a
Product-lansweepern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-0269
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8||HIGH
EPSS-0.14% / 34.34%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 11:30
Updated-02 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm

Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0.

Action-Not Available
Vendor-yetiforceyetiforcecompany
Product-yetiforce_customer_relationship_managementyetiforcecompany/yetiforcecrm
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-0154
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-7.5||HIGH
EPSS-0.13% / 33.82%
||
7 Day CHG~0.00%
Published-18 Jan, 2022 | 16:52
Updated-02 Aug, 2024 | 23:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-32761
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.33% / 55.10%
||
7 Day CHG~0.00%
Published-14 Jul, 2023 | 00:00
Updated-30 Oct, 2024 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability in Archer Platform before v.6.13 and fixed in v.6.12.0.6 and v.6.13.0 allows an authenticated attacker to execute arbitrary code via a crafted request.

Action-Not Available
Vendor-archerirmn/a
Product-archern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-47082
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.05% / 16.72%
||
7 Day CHG~0.00%
Published-25 Sep, 2024 | 17:48
Updated-01 Oct, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Strawberry GraphQL Cross-Site Request Forgery (CSRF) vulnerability

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.

Action-Not Available
Vendor-strawberryrocksstrawberry-graphql
Product-strawberrystrawberry
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-46394
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.02% / 4.55%
||
7 Day CHG~0.00%
Published-19 Sep, 2024 | 00:00
Updated-25 Sep, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/?/user/add

Action-Not Available
Vendor-frogcms_projectn/afrogcms_project
Product-frogcmsn/afrogcms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24945
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8||HIGH
EPSS-0.14% / 35.41%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.

Action-Not Available
Vendor-likebtnUnknown
Product-like_button_ratingLike Button Rating ♥ LikeBtn
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24905
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8||HIGH
EPSS-0.13% / 33.45%
||
7 Day CHG~0.00%
Published-21 Mar, 2022 | 18:55
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.

Action-Not Available
Vendor-vsourzUnknown
Product-advanced_cf7_dbAdvanced Contact form 7 DB
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-20758
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.09% / 27.01%
||
7 Day CHG~0.00%
Published-18 Aug, 2021 | 05:35
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to hijack the authentication of administrators and perform an arbitrary operation via unspecified vectors.

Action-Not Available
Vendor-Cybozu, Inc.
Product-garoonCybozu Garoon
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • Next
Details not found