Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-34357

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.

Published

2024-05-14T16:17:25.210

Last Modified

2025-09-03T17:34:06.120

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	typo3	typo3	< 9.5.48	Yes
Application	typo3	typo3	< 10.4.45	Yes
Application	typo3	typo3	< 11.5.37	Yes
Application	typo3	typo3	< 12.4.15	Yes
Application	typo3	typo3	< 13.1.1	Yes

References

https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7 Patch ([email protected])
https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee Patch ([email protected])
https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1 Patch ([email protected])
https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m Vendor Advisory ([email protected])
https://typo3.org/security/advisory/typo3-core-sa-2024-009 Vendor Advisory ([email protected])
https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://typo3.org/security/advisory/typo3-core-sa-2024-009 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)