{"id":"CVE-2024-34357","summary":"TYPO3 vulnerable to Cross-Site Scripting in ShowImageController","details":"TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.","aliases":["GHSA-hw6c-6gwq-3m3m"],"modified":"2026-04-10T04:13:34.029567Z","published":"2024-05-14T14:13:11.860Z","database_specific":{"cwe_ids":["CWE-79"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"9.0.0"},{"fixed":"9.5.48"},{"introduced":"10.0.0"},{"fixed":"10.4.45"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34357.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34357.json"},{"type":"ADVISORY","url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34357"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-core-sa-2024-009"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"dbe306ed9ddeda3c56f78ba919a8f8b4642dd6a4"}]}],"versions":["v13.0.0","v13.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-34357.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3.cms","events":[{"introduced":"6a5e2d4097ef0a0e3ea955af93cf83810d6fa234"},{"fixed":"8c01ea0cd9f5ecd3003d46c5fae521784d619a73"},{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"85cb1b09b03366d4cf690064d9f2afb013b27c82"},{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"dbe306ed9ddeda3c56f78ba919a8f8b4642dd6a4"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"11.5.37"},{"introduced":"12.0.0"},{"fixed":"12.4.15"},{"introduced":"13.0.0"},{"fixed":"13.1.1"}]}}],"versions":["v11.0.0","v11.1.0","v11.2.0","v11.3.0","v11.4.0","v11.5.0","v11.5.1","v11.5.10","v11.5.11","v11.5.12","v11.5.13","v11.5.14","v11.5.15","v11.5.16","v11.5.17","v11.5.18","v11.5.19","v11.5.2","v11.5.20","v11.5.21","v11.5.22","v11.5.23","v11.5.24","v11.5.25","v11.5.26","v11.5.27","v11.5.28","v11.5.29","v11.5.3","v11.5.30","v11.5.31","v11.5.32","v11.5.33","v11.5.34","v11.5.35","v11.5.36","v11.5.4","v11.5.5","v11.5.6","v11.5.7","v11.5.8","v11.5.9","v12.0.0","v12.1.0","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-34357.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}