TYPO3 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2024-34357 - Vulnerability Database

TYPO3

TYPO3 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2024-34357

Medium

Reference: CVE-2024-34357

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2024-34357

Title: TYPO3 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS 10.4.45 ELTS 11.5.37 LTS 12.4.15 LTS and 13.1.1 failing to properly encode user-controlled values in file entities the ShowImageController (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS 10.4.45 ELTS 11.5.37 LTS 12.4.15 LTS 13.1.1 fix the problem described.