VYPR
← All advisories
High severityNVD Advisory· Published Oct 5, 2021· Updated Aug 4, 2024

Cross-Site-Request-Forgery in Backend URI Handling in Typo3

CVE-2021-41113

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as described in TYPO3-CORE-SA-2020-006 (CVE-2020-11069). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system. To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. The following Same-Site cookie settings in $GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite] are required for an attack to be successful: SameSite=strict: malicious evil.example.org invoking TYPO3 application at good.example.org and SameSite=lax or none: malicious evil.com invoking TYPO3 application at example.org. Update your instance to TYPO3 version 11.5.0 which addresses the problem described.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 v11 deep link feature is vulnerable to CSRF allowing unauthenticated attackers to create admin accounts when victims access malicious sites.

Vulnerability

CVE-2021-41113 affects TYPO3 v11, specifically the new feature for creating and sharing deep links in the backend user interface. This feature is vulnerable to cross-site request forgery (CSRF). Unlike the related CVE-2020-11069 [1], this vulnerability does not require the attacker to be authenticated and is not limited to same-site context. The required configuration involves Same-Site cookie settings: with SameSite=strict, the attack works cross-site (e.g., malicious evil.example.org targeting good.example.org); with SameSite=lax or none, the attack works cross-origin (e.g., malicious evil.com targeting example.org). Affected versions are TYPO3 v11 before 11.5.0 [2].

Exploitation

An attacker does not need authentication. The victim must have an active TYPO3 backend session and be tricked into visiting a compromised system controlled by the attacker. The attacker can craft a malicious link or resource that triggers a CSRF request to the TYPO3 backend, leveraging the deep link functionality. The attack can succeed across different sites depending on SameSite cookie settings. The victim's browser will execute the request with the victim's session cookies, performing unintended actions [2].

Impact

Successful exploitation allows an attacker to perform actions with the privileges of the victim's backend user session. In a worst-case scenario, the attacker could create a new admin user account, leading to full compromise of the TYPO3 system. This impact is the same as CVE-2020-11069 [1] [4], but with broader cross-site scope.

Mitigation

The issue is fixed in TYPO3 version 11.5.0, released in October 2021 [2] [3]. Users should update to this version or later. No workarounds are provided in the available references. The fix involves proper CSRF protection for the deep link feature. There is no indication of CVE-2021-41113 being listed on KEV.

References
  1. NVD - CVE-2020-11069
  2. NVD - CVE-2021-41113
  3. GitHub - TYPO3/typo3: The TYPO3 Core - Enterprise Content Management System. Synchronized mirror of https://review.typo3.org/q/project:Packages/TYPO3.CMS
  4. Same-Origin Request Forgery to Backend User Interface

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 11.2.0, < 11.5.011.5.0
typo3/cmsPackagist
>= 11.2.0, < 11.5.011.5.0

Affected products

4

Patches

1
fa51999203c5

[SECURITY] Mitigate CSRF in backend deeplinking

https://github.com/TYPO3/typo3Oliver HaderOct 5, 2021via ghsa
commit
3 files changed · +50 0
  • typo3/sysext/backend/Classes/Routing/RouteRedirect.php+14 0 modified
    @@ -21,6 +21,7 @@
 use TYPO3\CMS\Backend\Routing\Exception\MethodNotAllowedException;
 use TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException;
 use TYPO3\CMS\Backend\Routing\Exception\RouteTypeNotAllowedException;
+use TYPO3\CMS\Core\Utility\ArrayUtility;
 
 /**
  * A value object representing redirects within Backend routing.
@@ -133,5 +134,18 @@ public function resolve(Router $router): void
                 1627407452
             );
         }
+        $settings = $route->getOption('redirect');
+        if (($settings['enable'] ?? false) !== true) {
+            throw new RouteNotFoundException(
+                sprintf('Route "%s" cannot be redirected', $this->name),
+                1627407511
+            );
+        }
+        // Only use allowed arguments, if set, otherwise no parameters are allowed
+        if (!empty($settings['parameters'])) {
+            $this->parameters = ArrayUtility::intersectRecursive($this->parameters, (array)$settings['parameters']);
+        } else {
+            $this->parameters = [];
+        }
     }
 }
  • typo3/sysext/backend/Configuration/Backend/Routes.php+24 0 modified
    @@ -133,11 +133,23 @@
     'db_new' => [
         'path' => '/record/new',
         'target' => Controller\NewRecordController::class . '::mainAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'id' => true,
+            ],
+        ],
     ],
 
     'db_new_pages' => [
         'path' => '/record/new-page',
         'target' => Controller\NewRecordController::class . '::newPageAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'id' => true,
+            ],
+        ],
     ],
 
     // Register sort pages
@@ -150,6 +162,12 @@
     'pages_new' => [
         'path' => '/pages/new',
         'target' => Controller\Page\NewMultiplePagesController::class . '::mainAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'id' => true,
+            ],
+        ],
     ],
 
     // Register new content element module (used in a modal)
@@ -208,6 +226,12 @@
     'record_edit' => [
         'path' => '/record/edit',
         'target' => Controller\EditDocumentController::class . '::mainAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'edit' => true,
+            ],
+        ],
     ],
 
     // Thumbnails
  • typo3/sysext/core/Documentation/Changelog/11.2/Feature-93988-BackendModuleURLsReflectIntoBrowserAddressbar.rst+12 0 modified
    @@ -25,4 +25,16 @@ Impact
 
 Editors can share links to certain records or include these in bug reports.
 
+This feature is enabled for all modules. For non-module routes this feature
+will only work if configured via `Routes.php` by adding a `redirect` section:
+
+:php:
+    'redirect' => [
+        'enable' => true,
+        // Transferred parameters when redirecting
+        'parameters' => [
+            'my-parameter-name' => true
+        ]
+    ],
+
 .. index:: Backend, JavaScript, ext:backend

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.