Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/typo3/cms-core@12.4.15
Typecomposer
Namespacetypo3
Namecms-core
Version12.4.15
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version12.4.25
Latest_non_vulnerable_version14.0.2
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-an3r-c2yp-1bbd
vulnerability_id VCID-an3r-c2yp-1bbd
summary 
TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module
### Problem
The form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module.

### Solution
Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.

### Credits
Thanks to TYPO3 core & security team member Benjamin Franzke who reported and fixed the issue.

### References
* [TYPO3-CORE-SA-2024-008](https://typo3.org/security/advisory/typo3-core-sa-2024-008)
references
0
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
1
reference_url https://github.com/TYPO3/typo3/commit/2832e2f51f929aeddb5de7d667538a33ceda8156
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/2832e2f51f929aeddb5de7d667538a33ceda8156
2
reference_url https://github.com/TYPO3/typo3/commit/d0393a879a32fb4e3569acad6bdb5cda776be1e5
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/d0393a879a32fb4e3569acad6bdb5cda776be1e5
3
reference_url https://github.com/TYPO3/typo3/commit/e95a1224719efafb9cab2d85964f240fd0356e64
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/e95a1224719efafb9cab2d85964f240fd0356e64
4
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-008
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2024-008
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34356
reference_id CVE-2024-34356
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34356
6
reference_url https://github.com/advisories/GHSA-v6mw-h7w6-59w3
reference_id GHSA-v6mw-h7w6-59w3
reference_type
scores
url https://github.com/advisories/GHSA-v6mw-h7w6-59w3
7
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-v6mw-h7w6-59w3
reference_id GHSA-v6mw-h7w6-59w3
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-v6mw-h7w6-59w3
fixed_packages
0
url pkg:composer/typo3/cms-core@9.5.48
purl pkg:composer/typo3/cms-core@9.5.48
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.48
1
url pkg:composer/typo3/cms-core@10.4.45
purl pkg:composer/typo3/cms-core@10.4.45
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.45
2
url pkg:composer/typo3/cms-core@11.5.37
purl pkg:composer/typo3/cms-core@11.5.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.37
3
url pkg:composer/typo3/cms-core@12.4.15
purl pkg:composer/typo3/cms-core@12.4.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15
4
url pkg:composer/typo3/cms-core@13.1.1
purl pkg:composer/typo3/cms-core@13.1.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1
aliases CVE-2024-34356, GHSA-v6mw-h7w6-59w3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-an3r-c2yp-1bbd
1
url VCID-fgkd-jp96-cbcs
vulnerability_id VCID-fgkd-jp96-cbcs
summary 
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
### Problem
The `ShowImageController` (_eID tx_cms_showpic_) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`).
This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side.

### Solution
Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.

#### ℹī¸ **Strong security defaults - Manual actions required**

The `frame` HTTP query parameter is now ignored, since it could not be used by core APIs.

The new feature flag `security.frontend.allowInsecureFrameOptionInShowImageController` – which is disabled per default – can be used to reactivate the previous behavior.

### Credits
Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team members Benjamin Mack and Benjamin Franzke who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-010](https://typo3.org/security/advisory/typo3-core-sa-2024-010)
references
0
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
1
reference_url https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14
2
reference_url https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5
3
reference_url https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142
4
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-010
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2024-010
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34358
reference_id CVE-2024-34358
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34358
6
reference_url https://github.com/advisories/GHSA-36g8-62qv-5957
reference_id GHSA-36g8-62qv-5957
reference_type
scores
url https://github.com/advisories/GHSA-36g8-62qv-5957
7
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
reference_id GHSA-36g8-62qv-5957
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
fixed_packages
0
url pkg:composer/typo3/cms-core@9.5.48
purl pkg:composer/typo3/cms-core@9.5.48
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.48
1
url pkg:composer/typo3/cms-core@10.4.45
purl pkg:composer/typo3/cms-core@10.4.45
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.45
2
url pkg:composer/typo3/cms-core@11.5.37
purl pkg:composer/typo3/cms-core@11.5.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.37
3
url pkg:composer/typo3/cms-core@12.4.15
purl pkg:composer/typo3/cms-core@12.4.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15
4
url pkg:composer/typo3/cms-core@13.1.1
purl pkg:composer/typo3/cms-core@13.1.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1
aliases CVE-2024-34358, GHSA-36g8-62qv-5957
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fgkd-jp96-cbcs
2
url VCID-rzx5-nv6h-qqhg
vulnerability_id VCID-rzx5-nv6h-qqhg
summary 
TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController
### Problem
Failing to properly encode user-controlled values in file entities, the `ShowImageController` (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities.

### Solution
Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.

### Credits
Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-009](https://typo3.org/security/advisory/typo3-core-sa-2024-009)
references
0
reference_url https://github.com/TYPO3/typo3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3
1
reference_url https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7
2
reference_url https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee
3
reference_url https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1
4
reference_url https://typo3.org/security/advisory/typo3-core-sa-2024-009
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://typo3.org/security/advisory/typo3-core-sa-2024-009
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34357
reference_id CVE-2024-34357
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34357
6
reference_url https://github.com/advisories/GHSA-hw6c-6gwq-3m3m
reference_id GHSA-hw6c-6gwq-3m3m
reference_type
scores
url https://github.com/advisories/GHSA-hw6c-6gwq-3m3m
7
reference_url https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m
reference_id GHSA-hw6c-6gwq-3m3m
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m
fixed_packages
0
url pkg:composer/typo3/cms-core@9.5.48
purl pkg:composer/typo3/cms-core@9.5.48
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.48
1
url pkg:composer/typo3/cms-core@10.4.45
purl pkg:composer/typo3/cms-core@10.4.45
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.45
2
url pkg:composer/typo3/cms-core@11.5.37
purl pkg:composer/typo3/cms-core@11.5.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.37
3
url pkg:composer/typo3/cms-core@12.4.15
purl pkg:composer/typo3/cms-core@12.4.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15
4
url pkg:composer/typo3/cms-core@13.1.1
purl pkg:composer/typo3/cms-core@13.1.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1
aliases CVE-2024-34357, GHSA-hw6c-6gwq-3m3m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rzx5-nv6h-qqhg
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15