Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-34358

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.

Published

2024-05-14T16:17:25.690

Last Modified

2025-09-03T17:33:35.270

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200
CWE-347
Type: Primary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	typo3	typo3	< 9.5.48	Yes
Application	typo3	typo3	< 10.4.45	Yes
Application	typo3	typo3	< 11.5.37	Yes
Application	typo3	typo3	< 12.4.15	Yes
Application	typo3	typo3	< 13.1.1	Yes

References

https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14 Patch ([email protected])
https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5 Patch ([email protected])
https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142 Patch ([email protected])
https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957 Vendor Advisory, Mitigation ([email protected])
https://typo3.org/security/advisory/typo3-core-sa-2024-010 Vendor Advisory, Mitigation ([email protected])
https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957 Vendor Advisory, Mitigation (af854a3a-2127-422b-91ae-364da2661108)
https://typo3.org/security/advisory/typo3-core-sa-2024-010 Vendor Advisory, Mitigation (af854a3a-2127-422b-91ae-364da2661108)