TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 03 Sep 2025 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-02T02:51:11.194Z

Reserved: 2024-05-02T06:36:32.438Z

Link: CVE-2024-34357

cve-icon Vulnrichment

Updated: 2024-08-02T02:51:11.194Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-14T16:17:25.210

Modified: 2025-09-03T17:34:06.120

Link: CVE-2024-34357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:22:04Z