TYPO3 vulnerable to an HTML Injection in the History Module
Description
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 history backend module in versions 13.0.0-13.1.0 allows HTML injection via unencoded output, requiring a valid backend user account; fixed in 13.1.1.
Vulnerability
Overview
The history backend module in TYPO3 CMS versions 13.0.0 through 13.1.0 is vulnerable to HTML injection. The root cause lies in the BackendUtility::getRecordTitle function, which returns a string that is not HTML-encoded when the $prep parameter is set to false. This unencoded output is then rendered in the history module, allowing an attacker to inject arbitrary HTML markup [1][4]. Although Content-Security-Policy (CSP) headers prevent JavaScript execution, the injection of HTML itself remains possible [3].
Exploitation
Prerequisites
Exploiting this vulnerability requires a valid backend user account with access to the history module. The attack vector is network-based (AV:N) and requires low complexity (AC:L) but relies on user interaction (UI:R) as the victim must view the crafted history entry [3]. The attacker can inject malicious HTML that, while unable to execute scripts due to CSP, can still alter the page appearance or include deceptive content such as fake login forms or phishing links.
Impact
An authenticated attacker can inject HTML markup into the backend interface, potentially leading to UI redressing, credential theft via fake forms, or other client-side attacks within the trusted backend context. The CVSS v3.1 score is low (3.5) with a partial integrity impact (I:L) and no confidentiality or availability impact [3]. The vulnerability does not allow direct data exfiltration or privilege escalation, but it undermines the integrity of the backend user interface.
Mitigation
The issue is fixed in TYPO3 version 13.1.1, which encodes the output of BackendUtility::getRecordTitle properly [3][4]. Users running affected versions should update immediately. No workaround is documented; upgrading is the recommended solution.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 13.0.0, < 13.1.1 | 13.1.1 |
Affected products
2Patches
156afa304ba8b[SECURITY] Prevent HTML Injection in History Backend Module
1 file changed · +1 −1
typo3/sysext/backend/Resources/Private/Partials/RecordHistory/History.html+1 −1 modified@@ -63,7 +63,7 @@ <h3>{day}</h3> </span> </td> <td class="col-recordtitle"> - {historyRow.title -> f:format.raw()} ({historyRow.recordTable}:{historyRow.recordUid}) + {historyRow.title} ({historyRow.recordTable}:{historyRow.recordUid}) </td> <td class="col-action"> <f:variable name="actionTypeClass">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xjwx-78x7-q6jcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34355ghsaADVISORY
- github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375ghsax_refsource_MISCWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jcghsax_refsource_CONFIRMWEB
- typo3.org/security/advisory/typo3-core-sa-2024-007ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.