Medium severity5.4NVD Advisory· Published May 14, 2024· Updated Jun 17, 2026
CVE-2024-34357
CVE-2024-34357
Description
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the ShowImageController (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 9.0.0, < 9.5.48 | 9.5.48 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.45 | 10.4.45 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.37 | 11.5.37 |
typo3/cms-corePackagist | >= 12.0.0, < 12.4.15 | 12.4.15 |
typo3/cms-corePackagist | >= 13.0.0, < 13.1.1 | 13.1.1 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7nvdPatchWEB
- github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15eenvdPatchWEB
- github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1nvdPatchWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3mnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-hw6c-6gwq-3m3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34357ghsaADVISORY
- typo3.org/security/advisory/typo3-core-sa-2024-009nvdVendor AdvisoryWEB
News mentions
0No linked articles in our index yet.