NVD

Vulnerability Change Records for CVE-2024-34357

Action	Type	New Value
Added	Description	TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.
Added	CVSS V3.1	GitHub, Inc. AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Added	CWE	GitHub, Inc. CWE-79
Added	Reference	GitHub, Inc. https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7 [No types assigned]
Added	Reference	GitHub, Inc. https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee [No types assigned]
Added	Reference	GitHub, Inc. https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1 [No types assigned]
Added	Reference	GitHub, Inc. https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m [No types assigned]
Added	Reference	GitHub, Inc. https://typo3.org/security/advisory/typo3-core-sa-2024-009 [No types assigned]