Traffic Cop Gone Rogue: Hijacking TYPO3 Redirects
Jan 14, 2026·5 min read·2 visits
Executive Summary (TL;DR)
In multi-site TYPO3 installations, the Redirects module failed to enforce 'Webmount' boundaries. This means a low-privileged editor assigned to manage a small sub-site could view, modify, and delete URL redirects for the entire CMS instance—including main corporate domains. While not Remote Code Execution (RCE), it allows for high-impact Phishing and SEO poisoning.
A Broken Access Control vulnerability in TYPO3 CMS allows restricted backend users to manage redirects for sites they shouldn't access, enabling domain hijacking and phishing campaigns.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
TYPO3 CMS TYPO3 | >= 10.0.0, <= 10.4.54 | 10.4.55 |
TYPO3 CMS TYPO3 | >= 11.0.0, <= 11.5.48 | 11.5.49 |
TYPO3 CMS TYPO3 | >= 12.0.0, <= 12.4.40 | 12.4.41 |
TYPO3 CMS TYPO3 | >= 13.0.0, <= 13.4.22 | 13.4.23 |
TYPO3 CMS TYPO3 | >= 14.0.0, <= 14.0.1 | 14.0.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-862 |
| Attack Vector | Network |
| CVSS 4.0 | 5.3 (Medium) |
| Privileges Required | Low (Backend User) |
| EPSS Score | 0.00039 |
| Impact | Integrity / Phishing Risk |
MITRE ATT&CK Mapping
The application does not verify or incorrectly verifies that the user, or the process acting on behalf of the user, has authorization for a resource that is accessed.