PT-2024-25814 · Typo3 · Typo3
Torben Hansen
·
Published
2024-05-14
·
Updated
2025-09-03
·
CVE-2024-34357
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
TYPO3 versions 9.0.0 through 9.5.47 ELTS
TYPO3 versions 10.0.0 through 10.4.44 ELTS
TYPO3 versions 11.0.0 through 11.5.36 LTS
TYPO3 versions 12.0.0 through 12.4.14 LTS
TYPO3 versions 13.0.0 through 13.0.0
Description
The issue arises from failing to properly encode user-controlled values in file entities, making the
ShowImageController (eID tx cms showpic) vulnerable to cross-site scripting. Exploiting this requires a valid backend user account with access to file entities.Recommendations
Update to TYPO3 version 9.5.48 ELTS
Update to TYPO3 version 10.4.45 ELTS
Update to TYPO3 version 11.5.37 LTS
Update to TYPO3 version 12.4.15 LTS
Update to TYPO3 version 13.1.1
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typo3