VYPR
← All advisories
Moderate severityNVD Advisory· Published May 14, 2024· Updated Aug 2, 2024

TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

CVE-2024-34358

Description

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the ShowImageController (_eID tx_cms_showpic_) lacks a cryptographic HMAC-signature on the frame HTTP query parameter (e.g. /index.php?eID=tx_cms_showpic?file=3&...&frame=12345). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 ShowImageController missing HMAC on frame parameter allows attackers to trigger arbitrary thumbnail generation, leading to uncontrolled resource consumption.

Vulnerability

The ShowImageController (_eID tx_cms_showpic_) in TYPO3 versions 9.0.0 through 9.5.47 ELTS, 10.4.44 ELTS, 11.5.36 LTS, 12.4.14 LTS, and 13.1.0 lacks a cryptographic HMAC-signature on the frame HTTP query parameter [1]. This means the parameter is not validated for integrity, allowing an attacker to manipulate it without detection.

Exploitation

An adversary can craft a request to /index.php?eID=tx_cms_showpic?file=3&...&frame=12345 with an arbitrary frame value [1]. The system will then generate a thumbnail image for each such request. Since no authentication is required, the attacker can issue many requests with different frame values, causing the server to create numerous thumbnails.

Impact

The primary impact is uncontrolled resource consumption (CPU, memory, disk I/O) on the server [1][3][4]. By generating an arbitrary number of thumbnail images, an attacker could exhaust server resources, leading to denial of service for legitimate users.

Mitigation

The issue is fixed in TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1 [1]. The fix involves ignoring the frame parameter unless a new configuration option security.frontend.allowInsecureFrameOptionInShowImageController is explicitly enabled [3][4]. Administrators are advised to update immediately.

References
  1. NVD - CVE-2024-34358
  2. [SECURITY] Protect frame GET parameter in tx_cms_showpic eID · TYPO3/typo3@1e70ebf
  3. [SECURITY] Protect frame GET parameter in tx_cms_showpic eID · TYPO3/typo3@df7909b

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 9.0.0, < 9.5.489.5.48
typo3/cms-corePackagist
>= 10.0.0, < 10.4.4510.4.45
typo3/cms-corePackagist
>= 11.0.0, < 11.5.3711.5.37
typo3/cms-corePackagist
>= 12.0.0, < 12.4.1512.4.15
typo3/cms-corePackagist
>= 13.0.0, < 13.1.113.1.1

Affected products

2

Patches

3
1e70ebf73693

[SECURITY] Protect frame GET parameter in tx_cms_showpic eID

https://github.com/TYPO3/typo3Benni MackMay 14, 2024via ghsa
commit
6 files changed · +53 2
  • typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml+3 0 modified
    @@ -193,6 +193,9 @@ SYS:
               security.frontend.enforceContentSecurityPolicy:
                 type: bool
                 description: 'If on, HTTP Content-Security-Policy header will be applied for each HTTP frontend request.'
+              security.frontend.allowInsecureFrameOptionInShowImageController:
+                type: bool
+                description: 'If on, the eID Script "tx_cms_showpic" respects the GET parameter "frame" without being signed. Should not be enabled as this allows uncontrolled resource consumption.'
               security.frontend.allowInsecureSiteResolutionByQueryParameters:
                 type: bool
                 description: 'If on, site resolution can be overwritten by `&id=...&L=...` parameters, URI path & host are just used as default.'
  • typo3/sysext/core/Configuration/DefaultConfiguration.php+1 0 modified
    @@ -86,6 +86,7 @@
             'security.backend.enforceReferrer' => true,
             'security.frontend.enforceContentSecurityPolicy' => false,
             'security.frontend.allowInsecureSiteResolutionByQueryParameters' => false,
+            'security.frontend.allowInsecureFrameOptionInShowImageController' => false,
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',
  • typo3/sysext/core/Documentation/Changelog/11.5.x/Important-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst+32 0 added
    @@ -0,0 +1,32 @@
+.. include:: /Includes.rst.txt
+
+.. _important-103306-1714976257:
+
+=======================================================================
+Important: #103306 - Frame GET parameter in tx_cms_showpic eID disabled
+=======================================================================
+
+See :issue:`103306`
+
+Description
+===========
+
+The show image controller (eID `tx_cms_showpic`) lacks a cryptographic
+HMAC-signature on the frame HTTP query parameter (e.g.
+`/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`).
+This allows adversaries to instruct the system to produce an arbitrary number of
+thumbnail images on the server side.
+
+To prevent uncontrolled resource consumption, the frame HTTP query parameter is
+now ignored, since it could not be used by core APIs.
+
+The new feature flag
+`security.frontend.allowInsecureFrameOptionInShowImageController` — which is
+disabled per default — can be used to reactivate the previous behavior:
+
+..  code-block:: php
+
+    $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.allowInsecureFrameOptionInShowImageController'] = true;
+
+
+.. index:: Frontend, NotScanned, ext:frontend
  • typo3/sysext/frontend/Classes/Controller/ShowImageController.php+12 2 modified
    @@ -19,6 +19,7 @@
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Crypto\HashService;
 use TYPO3\CMS\Core\Exception;
 use TYPO3\CMS\Core\Http\Response;
@@ -76,7 +77,7 @@ class ShowImageController
     protected $crop;
 
     /**
-     * @var int
+     * @var int|null
      */
     protected $frame;
 
@@ -106,6 +107,10 @@ class ShowImageController
 </html>
 EOF;
 
+    public function __construct(
+        protected readonly Features $features
+    ) {}
+
     /**
      * Init function, setting the input vars in the global space.
      *
@@ -151,7 +156,12 @@ public function initialize()
             throw new Exception('File processing for local storage is denied', 1594043425);
         }
 
-        $this->frame = $this->request->getQueryParams()['frame'] ?? null;
+        if ($this->features->isFeatureEnabled('security.frontend.allowInsecureFrameOptionInShowImageController')) {
+            $frameValue = $this->request->getQueryParams()['frame'] ?? null;
+            if ($frameValue !== null && MathUtility::canBeInterpretedAsInteger($frameValue)) {
+                $this->frame = (int)$frameValue;
+            }
+        }
     }
 
     /**
  • typo3/sysext/frontend/Configuration/Services.yaml+3 0 modified
    @@ -20,6 +20,9 @@ services:
       $pageCache: '@cache.pages'
       $typoScriptCache: '@cache.typoscript'
 
+  TYPO3\CMS\Frontend\Controller\ShowImageController:
+    public: true
+
   TYPO3\CMS\Frontend\ContentObject\ContentDataProcessor:
     public: true
  • typo3/sysext/frontend/Tests/Functional/Controller/ShowImageControllerTest.php+2 0 modified
    @@ -22,6 +22,7 @@
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Crypto\HashService;
 use TYPO3\CMS\Core\Resource\FileInterface;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
@@ -50,6 +51,7 @@ protected function setUp(): void
             ->disableOriginalConstructor()
             ->getMock();
         $this->subject = $this->getMockBuilder(ShowImageController::class)
+            ->setConstructorArgs([new Features()])
             ->onlyMethods(['processImage'])
             ->getMock();
         GeneralUtility::setSingletonInstance(ResourceFactory::class, $this->resourceFactory);
df7909b6a1cf

[SECURITY] Protect frame GET parameter in tx_cms_showpic eID

https://github.com/TYPO3/typo3Benni MackMay 14, 2024via ghsa
commit
6 files changed · +52 1
  • typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml+3 0 modified
    @@ -208,6 +208,9 @@ SYS:
               security.frontend.enforceContentSecurityPolicy:
                 type: bool
                 description: 'If on, HTTP Content-Security-Policy header will be applied for each HTTP frontend request.'
+              security.frontend.allowInsecureFrameOptionInShowImageController:
+                type: bool
+                description: 'If on, the eID Script "tx_cms_showpic" respects the GET parameter "frame" without being signed. Should not be enabled as this allows uncontrolled resource consumption.'
               security.frontend.allowInsecureSiteResolutionByQueryParameters:
                 type: bool
                 description: 'If on, site resolution can be overwritten by `&id=...&L=...` parameters, URI path & host are just used as default.'
  • typo3/sysext/core/Configuration/DefaultConfiguration.php+1 0 modified
    @@ -78,6 +78,7 @@
             'security.frontend.enforceContentSecurityPolicy' => false,
             'security.frontend.allowInsecureSiteResolutionByQueryParameters' => false,
             'security.usePasswordPolicyForFrontendUsers' => false,
+            'security.frontend.allowInsecureFrameOptionInShowImageController' => false,
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',
  • typo3/sysext/core/Documentation/Changelog/11.5.x/Important-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst+32 0 added
    @@ -0,0 +1,32 @@
+.. include:: /Includes.rst.txt
+
+.. _important-103306-1714976257:
+
+=======================================================================
+Important: #103306 - Frame GET parameter in tx_cms_showpic eID disabled
+=======================================================================
+
+See :issue:`103306`
+
+Description
+===========
+
+The show image controller (eID `tx_cms_showpic`) lacks a cryptographic
+HMAC-signature on the frame HTTP query parameter (e.g.
+`/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`).
+This allows adversaries to instruct the system to produce an arbitrary number of
+thumbnail images on the server side.
+
+To prevent uncontrolled resource consumption, the frame HTTP query parameter is
+now ignored, since it could not be used by core APIs.
+
+The new feature flag
+`security.frontend.allowInsecureFrameOptionInShowImageController` — which is
+disabled per default — can be used to reactivate the previous behavior:
+
+..  code-block:: php
+
+    $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.allowInsecureFrameOptionInShowImageController'] = true;
+
+
+.. index:: Frontend, NotScanned, ext:frontend
  • typo3/sysext/frontend/Classes/Controller/ShowImageController.php+11 1 modified
    @@ -19,6 +19,7 @@
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Exception;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Resource\File;
@@ -110,6 +111,10 @@ class ShowImageController
      */
     protected $imageTag = '<img src="###publicUrl###" alt="###alt###" title="###title###" width="###width###" height="###height###" />';
 
+    public function __construct(
+        protected readonly Features $features
+    ) {}
+
     /**
      * Init function, setting the input vars in the global space.
      *
@@ -154,7 +159,12 @@ public function initialize()
             throw new Exception('File processing for local storage is denied', 1594043425);
         }
 
-        $this->frame = $this->request->getQueryParams()['frame'] ?? null;
+        if ($this->features->isFeatureEnabled('security.frontend.allowInsecureFrameOptionInShowImageController')) {
+            $frameValue = $this->request->getQueryParams()['frame'] ?? null;
+            if ($frameValue !== null && MathUtility::canBeInterpretedAsInteger($frameValue)) {
+                $this->frame = (int)$frameValue;
+            }
+        }
     }
 
     /**
  • typo3/sysext/frontend/Configuration/Services.yaml+3 0 modified
    @@ -15,6 +15,9 @@ services:
     arguments:
       $cache: '@cache.assets'
 
+  TYPO3\CMS\Frontend\Controller\ShowImageController:
+    public: true
+
   TYPO3\CMS\Frontend\ContentObject\ContentDataProcessor:
     public: true
  • typo3/sysext/frontend/Tests/Functional/Controller/ShowImageControllerTest.php+2 0 modified
    @@ -22,6 +22,7 @@
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Resource\FileInterface;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
@@ -49,6 +50,7 @@ protected function setUp(): void
             ->disableOriginalConstructor()
             ->getMock();
         $this->subject = $this->getMockBuilder(ShowImageController::class)
+            ->setConstructorArgs([new Features()])
             ->onlyMethods(['processImage'])
             ->getMock();
         GeneralUtility::setSingletonInstance(ResourceFactory::class, $this->resourceFactory);
05c95fed869a

[SECURITY] Protect frame GET parameter in tx_cms_showpic eID

https://github.com/TYPO3/typo3Benni MackMay 14, 2024via ghsa
commit
4 files changed · +43 1
  • typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml+3 0 modified
    @@ -224,6 +224,9 @@ SYS:
               yamlImportsFollowDeclarationOrder:
                 type: bool
                 description: 'If on, the YAML imports are imported in the order they are defined in the importing YAML configuration.'
+              security.frontend.allowInsecureFrameOptionInShowImageController:
+                type: bool
+                description: 'If on, the eID Script "tx_cms_showpic" respects the GET parameter "frame" without being signed. Should not be enabled as this allows uncontrolled resource consumption.'
               security.frontend.allowInsecureSiteResolutionByQueryParameters:
                 type: bool
                 description: 'If on, site resolution can be overwritten by `&id=...&L=...` parameters, URI path & host are just used as default.'
  • typo3/sysext/core/Configuration/DefaultConfiguration.php+1 0 modified
    @@ -76,6 +76,7 @@
             'security.frontend.htmlSanitizeParseFuncDefault' => true,
             'security.frontend.enforceLoginSigning' => true,
             'security.frontend.allowInsecureSiteResolutionByQueryParameters' => false,
+            'security.frontend.allowInsecureFrameOptionInShowImageController' => false,
             'security.backend.htmlSanitizeRte' => false,
             'security.backend.enforceReferrer' => true,
             'yamlImportsFollowDeclarationOrder' => false,
  • typo3/sysext/core/Documentation/Changelog/11.5.x/Important-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst+32 0 added
    @@ -0,0 +1,32 @@
+.. include:: /Includes.rst.txt
+
+.. _important-103306-1714976257:
+
+=======================================================================
+Important: #103306 - Frame GET parameter in tx_cms_showpic eID disabled
+=======================================================================
+
+See :issue:`103306`
+
+Description
+===========
+
+The show image controller (eID `tx_cms_showpic`) lacks a cryptographic
+HMAC-signature on the frame HTTP query parameter (e.g.
+`/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`).
+This allows adversaries to instruct the system to produce an arbitrary number of
+thumbnail images on the server side.
+
+To prevent uncontrolled resource consumption, the frame HTTP query parameter is
+now ignored, since it could not be used by core APIs.
+
+The new feature flag
+`security.frontend.allowInsecureFrameOptionInShowImageController` — which is
+disabled per default — can be used to reactivate the previous behavior:
+
+..  code-block:: php
+
+    $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.allowInsecureFrameOptionInShowImageController'] = true;
+
+
+.. index:: Frontend, NotScanned, ext:frontend
  • typo3/sysext/frontend/Classes/Controller/ShowImageController.php+7 1 modified
    @@ -17,6 +17,7 @@
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Exception;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Resource\File;
@@ -152,7 +153,12 @@ public function initialize()
             throw new Exception('File processing for local storage is denied', 1594043425);
         }
 
-        $this->frame = $this->request->getQueryParams()['frame'] ?? null;
+        if (GeneralUtility::makeInstance(Features::class)->isFeatureEnabled('security.frontend.allowInsecureFrameOptionInShowImageController')) {
+            $frameValue = $this->request->getQueryParams()['frame'] ?? null;
+            if ($frameValue !== null && MathUtility::canBeInterpretedAsInteger($frameValue)) {
+                $this->frame = (int)$frameValue;
+            }
+        }
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.