TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.
History

Wed, 03 Sep 2025 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-02T02:51:11.194Z

Reserved: 2024-05-02T06:36:32.438Z

Link: CVE-2024-34357

cve-icon Vulnrichment

Updated: 2024-08-02T02:51:11.194Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-14T16:17:25.210

Modified: 2025-09-03T17:34:06.120

Link: CVE-2024-34357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:22:04Z