CVE-2024-34358

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-34358
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34358.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-34358
Aliases
Published
2024-05-14T14:26:36.422Z
Modified
2026-02-22T01:48:32.197883Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
Details

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the ShowImageController (_eID tx_cms_showpic_) lacks a cryptographic HMAC-signature on the frame HTTP query parameter (e.g. /index.php?eID=tx_cms_showpic?file=3&...&frame=12345). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34358.json",
    "cwe_ids": [
        "CWE-200",
        "CWE-347"
    ]
}
References

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
6a5e2d4097ef0a0e3ea955af93cf83810d6fa234
Fixed
8c01ea0cd9f5ecd3003d46c5fae521784d619a73
Database specific 
{
    "versions": [
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.5.37"
        }
    ]
}
Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
36096733dea4bd6f6168209609fa879dc25c0138
Fixed
85cb1b09b03366d4cf690064d9f2afb013b27c82
Database specific 
{
    "versions": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.4.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
fd8745e46bb11773e85524b8ee9650dabe340713
Fixed
dbe306ed9ddeda3c56f78ba919a8f8b4642dd6a4
Database specific 
{
    "versions": [
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.1.1"
        }
    ]
}

Affected versions

v11.*
v11.0.0
v11.1.0
v11.2.0
v11.3.0
v11.4.0
v11.5.0
v11.5.1
v11.5.10
v11.5.11
v11.5.12
v11.5.13
v11.5.14
v11.5.15
v11.5.16
v11.5.17
v11.5.18
v11.5.19
v11.5.2
v11.5.20
v11.5.21
v11.5.22
v11.5.23
v11.5.24
v11.5.25
v11.5.26
v11.5.27
v11.5.28
v11.5.29
v11.5.3
v11.5.30
v11.5.31
v11.5.32
v11.5.33
v11.5.34
v11.5.35
v11.5.36
v11.5.4
v11.5.5
v11.5.6
v11.5.7
v11.5.8
v11.5.9
v12.*
v12.0.0
v12.1.0
v12.2.0
v12.3.0
v12.4.0
v12.4.1
v12.4.10
v12.4.11
v12.4.12
v12.4.13
v12.4.14
v12.4.2
v12.4.3
v12.4.4
v12.4.5
v12.4.6
v12.4.7
v12.4.8
v12.4.9
v13.*
v13.0.0
v13.1.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34358.json"