You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[SECURITY] Inherit access to module-related AJAX routes from modules
Several AJAX routes are bound to specific backend modules. While
backend modules have proper authorization checks in place, AJAX routes
are open to any authenticated backend user.
This patch introduces a new config option `inheritAccessFromModule` for
AJAX routes which aims to close this gap. It allows to limit access to
a specific AJAX route by inheriting access permissions from the given
backend module. This is done for all AJAX routes which are used
exclusively in specific backend modules. For example, the AJAX route for
ext:recycler is now bound to the ext:recycler backend module, inheriting
access permissions for this specific route from the given backend module
permissions defined in the appropriate be_users / be_groups records.
Resolves: #106983
Releases: main, 13.4, 12.4
Change-Id: I8ccaa28468945bc8c7e4fb7e7806ae208e4a46ab
Security-Bulletin: TYPO3-CORE-SA-2025-021
Security-References: CVE-2025-59017
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/90631
Tested-by: Oliver Hader <[email protected]>
Reviewed-by: Oliver Hader <[email protected]>
0 commit comments