Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-rzx5-nv6h-qqhg
Summary
TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController
### Problem
Failing to properly encode user-controlled values in file entities, the `ShowImageController` (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities.

### Solution
Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.

### Credits
Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-009](https://typo3.org/security/advisory/typo3-core-sa-2024-009)
Aliases
0
alias CVE-2024-34357
1
alias GHSA-hw6c-6gwq-3m3m
Fixed_packages
0
url pkg:composer/typo3/cms-core@11.5.37
purl pkg:composer/typo3/cms-core@11.5.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.37
1
url pkg:composer/typo3/cms-core@12.4.15
purl pkg:composer/typo3/cms-core@12.4.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15
2
url pkg:composer/typo3/cms-core@13.1.1
purl pkg:composer/typo3/cms-core@13.1.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1
Affected_packages
0
url pkg:composer/typo3/cms-core@9.0.0
purl pkg:composer/typo3/cms-core@9.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ffs-9vj5-27hk
1
vulnerability VCID-1knh-es99-dubw
2
vulnerability VCID-1prg-c74k-37ec
3
vulnerability VCID-1sfk-z8py-ykb8
4
vulnerability VCID-23ss-xwrm-1qcu
5
vulnerability VCID-2m67-xdxz-ryc2
6
vulnerability VCID-2rhr-8vaz-hqfj
7
vulnerability VCID-3ebd-765h-j3g7
8
vulnerability VCID-3hta-35zx-zuc4
9
vulnerability VCID-4an7-9ph4-mkd4
10
vulnerability VCID-4q6d-bd3h-t7f4
11
vulnerability VCID-4rfq-u488-sbh5
12
vulnerability VCID-51k2-j834-pffb
13
vulnerability VCID-5nq2-nchj-fkc8
14
vulnerability VCID-5ync-ktk5-23gh
15
vulnerability VCID-6ffw-r4k7-5qf8
16
vulnerability VCID-6mnf-2fcw-dqgp
17
vulnerability VCID-6q7t-kdrg-8qc3
18
vulnerability VCID-6rgp-dzw1-kycx
19
vulnerability VCID-78ff-k66z-bkh7
20
vulnerability VCID-7ch1-q9f4-a7bt
21
vulnerability VCID-7r4g-gxc6-hubh
22
vulnerability VCID-7snt-7hyt-1fbx
23
vulnerability VCID-8216-asqx-f7eb
24
vulnerability VCID-82ds-xda8-5ye4
25
vulnerability VCID-848u-w88s-5bbe
26
vulnerability VCID-87ej-qn3k-t3dy
27
vulnerability VCID-8sek-v483-8ueu
28
vulnerability VCID-8w4e-d49b-nbg8
29
vulnerability VCID-9mpc-hjjh-u3d2
30
vulnerability VCID-a1g9-pyz5-9fca
31
vulnerability VCID-an3r-c2yp-1bbd
32
vulnerability VCID-bbh5-rss8-bfct
33
vulnerability VCID-bzqv-s7g3-wff9
34
vulnerability VCID-cf9m-qdyj-eyav
35
vulnerability VCID-cgny-nmk3-4fcd
36
vulnerability VCID-cq82-qt6v-dfhz
37
vulnerability VCID-cv9x-ea8e-pufu
38
vulnerability VCID-daz8-j1ns-rkgt
39
vulnerability VCID-dzrt-8tny-kbcy
40
vulnerability VCID-e6zr-4bgg-kkh5
41
vulnerability VCID-e8ze-umec-a7hx
42
vulnerability VCID-e9jc-8mpp-fkgh
43
vulnerability VCID-efrn-3w2z-xyaf
44
vulnerability VCID-eq57-btkt-hug8
45
vulnerability VCID-etcc-43a3-a7ek
46
vulnerability VCID-ev4k-5k1d-2bhu
47
vulnerability VCID-f9pk-cwyr-a7cv
48
vulnerability VCID-fgkd-jp96-cbcs
49
vulnerability VCID-fqkx-v8t5-q3h6
50
vulnerability VCID-g3t9-1yx2-6ufd
51
vulnerability VCID-gemf-j9uj-jka1
52
vulnerability VCID-gvag-nxmd-s7d1
53
vulnerability VCID-hfcx-1kuh-p3ez
54
vulnerability VCID-hnyk-614g-yuhy
55
vulnerability VCID-hr6r-88m3-9udv
56
vulnerability VCID-j8hk-bqnb-gycp
57
vulnerability VCID-jp1p-rfxa-hyd9
58
vulnerability VCID-k8r2-2ak8-qkak
59
vulnerability VCID-ke39-846j-kbh3
60
vulnerability VCID-myhc-dyh9-xygg
61
vulnerability VCID-n1gz-y615-cbbk
62
vulnerability VCID-n56h-zuzr-ruhf
63
vulnerability VCID-nyw8-q5ef-2fcv
64
vulnerability VCID-pwh8-c992-vqav
65
vulnerability VCID-qr1u-kcn9-cuf6
66
vulnerability VCID-qtyt-338b-ayay
67
vulnerability VCID-qxab-9uwr-yqhv
68
vulnerability VCID-rzx5-nv6h-qqhg
69
vulnerability VCID-sdjb-gp4t-vbgt
70
vulnerability VCID-tgyt-axv1-c7ag
71
vulnerability VCID-uaf3-fyst-u7gm
72
vulnerability VCID-uhrk-ad4f-nqgh
73
vulnerability VCID-uncp-sa58-ufdd
74
vulnerability VCID-uq77-aax5-k7d8
75
vulnerability VCID-uua1-9rt1-dfbz
76
vulnerability VCID-v7b1-x8hy-2kcg
77
vulnerability VCID-w94g-xxea-23fb
78
vulnerability VCID-wm4a-hcvt-vkbk
79
vulnerability VCID-x3n3-tsjh-8kby
80
vulnerability VCID-x5jb-yj3d-qbdf
81
vulnerability VCID-y3zj-acc7-jkau
82
vulnerability VCID-yf3d-yyzq-guh1
83
vulnerability VCID-ygw1-vqxg-z3h3
84
vulnerability VCID-z2bk-m2kw-h3c9
85
vulnerability VCID-z718-97ez-r7g3
86
vulnerability VCID-zbm9-cx69-wqg3
87
vulnerability VCID-zeut-9wfp-q7et
88
vulnerability VCID-zhcb-h8ph-7uhk
89
vulnerability VCID-zkvq-bms4-gfcv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.0.0
1
url pkg:composer/typo3/cms-core@10.0.0
purl pkg:composer/typo3/cms-core@10.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ffs-9vj5-27hk
1
vulnerability VCID-1sfk-z8py-ykb8
2
vulnerability VCID-2rhr-8vaz-hqfj
3
vulnerability VCID-2tz2-8qdm-2kcv
4
vulnerability VCID-3hta-35zx-zuc4
5
vulnerability VCID-4an7-9ph4-mkd4
6
vulnerability VCID-4rfq-u488-sbh5
7
vulnerability VCID-6a22-c7x5-sqe2
8
vulnerability VCID-6mnf-2fcw-dqgp
9
vulnerability VCID-6urp-p9mn-cffv
10
vulnerability VCID-78ff-k66z-bkh7
11
vulnerability VCID-7r4g-gxc6-hubh
12
vulnerability VCID-7snt-7hyt-1fbx
13
vulnerability VCID-848u-w88s-5bbe
14
vulnerability VCID-8w4e-d49b-nbg8
15
vulnerability VCID-9tpm-8udy-c3cd
16
vulnerability VCID-a1g9-pyz5-9fca
17
vulnerability VCID-an3r-c2yp-1bbd
18
vulnerability VCID-bbh5-rss8-bfct
19
vulnerability VCID-bzqv-s7g3-wff9
20
vulnerability VCID-e6zr-4bgg-kkh5
21
vulnerability VCID-etcc-43a3-a7ek
22
vulnerability VCID-ev4k-5k1d-2bhu
23
vulnerability VCID-fgkd-jp96-cbcs
24
vulnerability VCID-fqkx-v8t5-q3h6
25
vulnerability VCID-gxsd-4nd9-gqgn
26
vulnerability VCID-j8hk-bqnb-gycp
27
vulnerability VCID-jp1p-rfxa-hyd9
28
vulnerability VCID-myhc-dyh9-xygg
29
vulnerability VCID-n1gz-y615-cbbk
30
vulnerability VCID-r3az-g422-gqf9
31
vulnerability VCID-rzx5-nv6h-qqhg
32
vulnerability VCID-sdjb-gp4t-vbgt
33
vulnerability VCID-tgyt-axv1-c7ag
34
vulnerability VCID-uq77-aax5-k7d8
35
vulnerability VCID-uua1-9rt1-dfbz
36
vulnerability VCID-w94g-xxea-23fb
37
vulnerability VCID-x3n3-tsjh-8kby
38
vulnerability VCID-y3zj-acc7-jkau
39
vulnerability VCID-ygw1-vqxg-z3h3
40
vulnerability VCID-zkvq-bms4-gfcv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.0.0
2
url pkg:composer/typo3/cms-core@11.0.0
purl pkg:composer/typo3/cms-core@11.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ffs-9vj5-27hk
1
vulnerability VCID-2rhr-8vaz-hqfj
2
vulnerability VCID-3hta-35zx-zuc4
3
vulnerability VCID-6a22-c7x5-sqe2
4
vulnerability VCID-6mnf-2fcw-dqgp
5
vulnerability VCID-6urp-p9mn-cffv
6
vulnerability VCID-7r4g-gxc6-hubh
7
vulnerability VCID-7snt-7hyt-1fbx
8
vulnerability VCID-848u-w88s-5bbe
9
vulnerability VCID-9tpm-8udy-c3cd
10
vulnerability VCID-a1g9-pyz5-9fca
11
vulnerability VCID-an3r-c2yp-1bbd
12
vulnerability VCID-bzqv-s7g3-wff9
13
vulnerability VCID-c46m-ht19-ybc4
14
vulnerability VCID-etcc-43a3-a7ek
15
vulnerability VCID-ev4k-5k1d-2bhu
16
vulnerability VCID-fgkd-jp96-cbcs
17
vulnerability VCID-fqkx-v8t5-q3h6
18
vulnerability VCID-fsx8-7qjz-2ubw
19
vulnerability VCID-gxsd-4nd9-gqgn
20
vulnerability VCID-j8hk-bqnb-gycp
21
vulnerability VCID-jp1p-rfxa-hyd9
22
vulnerability VCID-myhc-dyh9-xygg
23
vulnerability VCID-p3nb-urds-euf3
24
vulnerability VCID-rzx5-nv6h-qqhg
25
vulnerability VCID-sdjb-gp4t-vbgt
26
vulnerability VCID-uq77-aax5-k7d8
27
vulnerability VCID-uua1-9rt1-dfbz
28
vulnerability VCID-w94g-xxea-23fb
29
vulnerability VCID-x3n3-tsjh-8kby
30
vulnerability VCID-y3zj-acc7-jkau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.0.0
3
url pkg:composer/typo3/cms-core@12.0.0
purl pkg:composer/typo3/cms-core@12.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hta-35zx-zuc4
1
vulnerability VCID-5e9k-tfy9-ufcx
2
vulnerability VCID-6a22-c7x5-sqe2
3
vulnerability VCID-7r4g-gxc6-hubh
4
vulnerability VCID-7snt-7hyt-1fbx
5
vulnerability VCID-9tpm-8udy-c3cd
6
vulnerability VCID-an3r-c2yp-1bbd
7
vulnerability VCID-bzqv-s7g3-wff9
8
vulnerability VCID-etcc-43a3-a7ek
9
vulnerability VCID-fgkd-jp96-cbcs
10
vulnerability VCID-gxsd-4nd9-gqgn
11
vulnerability VCID-myhc-dyh9-xygg
12
vulnerability VCID-p3nb-urds-euf3
13
vulnerability VCID-rzx5-nv6h-qqhg
14
vulnerability VCID-uua1-9rt1-dfbz
15
vulnerability VCID-w94g-xxea-23fb
16
vulnerability VCID-x3n3-tsjh-8kby
17
vulnerability VCID-y3zj-acc7-jkau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.0.0
4
url pkg:composer/typo3/cms-core@13.0.0
purl pkg:composer/typo3/cms-core@13.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hta-35zx-zuc4
1
vulnerability VCID-5e9k-tfy9-ufcx
2
vulnerability VCID-7r4g-gxc6-hubh
3
vulnerability VCID-7snt-7hyt-1fbx
4
vulnerability VCID-9tpm-8udy-c3cd
5
vulnerability VCID-an3r-c2yp-1bbd
6
vulnerability VCID-c91z-btmf-87dz
7
vulnerability VCID-etcc-43a3-a7ek
8
vulnerability VCID-fgkd-jp96-cbcs
9
vulnerability VCID-myhc-dyh9-xygg
10
vulnerability VCID-p3nb-urds-euf3
11
vulnerability VCID-rzx5-nv6h-qqhg
12
vulnerability VCID-uua1-9rt1-dfbz
13
vulnerability VCID-uw3m-2f4s-s3fj
14
vulnerability VCID-w94g-xxea-23fb
15
vulnerability VCID-x3n3-tsjh-8kby
16
vulnerability VCID-y3zj-acc7-jkau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.0
References
0
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
1
reference_url https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7
2
reference_url https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee
3
reference_url https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1
4
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-009
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2024-009
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34357
reference_id CVE-2024-34357
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34357
6
reference_url https://github.com/advisories/GHSA-hw6c-6gwq-3m3m
reference_id GHSA-hw6c-6gwq-3m3m
reference_type
scores
url https://github.com/advisories/GHSA-hw6c-6gwq-3m3m
7
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m
reference_id GHSA-hw6c-6gwq-3m3m
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m
Weaknesses
0
cwe_id 79
name Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-rzx5-nv6h-qqhg