Low severityNVD Advisory· Published Oct 28, 2024· Updated Oct 31, 2024

CVE-2024-34537

Description

TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, and 13.3.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 before 13.3.1 allows a denial of service via manipulated data in the bookmark toolbar, exploitable by an administrator-level backend user.

Vulnerability

Overview

The vulnerability resides in the Bookmark Toolbar component (ext:backend) of TYPO3 CMS. Due to insufficient input validation, an attacker with an administrator-level backend user account can manipulate data saved in the bookmark toolbar. This manipulated data causes a general error state that blocks further access to the backend interface for all users [1][2][4].

Exploitation and

Attack Surface

Exploitation requires a backend user account with administrator privileges. The vulnerability is triggered by sending a crafted JSON object via the bookmark creation request, which is not properly validated before being stored in the database [2]. Once the manipulated data is saved, any attempt to access the backend interface results in an unhandled error, effectively locking out all administrators [4].

Impact

A successful attack results in a complete denial of service of the TYPO3 backend administration interface. The only way to recover is by manually removing the malformed bookmark entry directly from the database [2]. This can cause significant operational downtime, especially in environments with multiple administrators relying on the backend for content management.

Mitigation

The issue has been fixed in TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, and 13.3.1 [1][4]. Administrators are strongly advised to update their installations to one of these patched versions as soon as possible. No workaround is provided other than the update.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-backendPackagist	>= 13.0.0, < 13.3.1	13.3.1
typo3/cms-backendPackagist	>= 12.0.0, < 12.4.21	12.4.21
typo3/cms-backendPackagist	>= 11.0.0, < 11.5.40	11.5.40
typo3/cms-backendPackagist	>= 10.0.0, < 10.4.46	10.4.46

Affected products

TYPO3/TYPO3description
ghsa-coords
pkg:composer/typo3/cms-backend
Range: >= 13.0.0, < 13.3.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-ffcv-v6pw-qhrpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-34537ghsaADVISORY
github.com/TYPO3/typo3/security/advisories/GHSA-ffcv-v6pw-qhrpghsaWEB
typo3.org/security/advisory/typo3-core-sa-2024-011ghsaWEB
www.mgm-sp.com/cve/denial-of-service-in-typo3-bookmark-toolbarghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000