{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54802?format=json","vulnerability_id":"VCID-rzx5-nv6h-qqhg","summary":"TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController\n### Problem\nFailing to properly encode user-controlled values in file entities, the `ShowImageController` (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities.\n\n### Solution\nUpdate to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.\n\n### Credits\nThanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2024-009](https://typo3.org/security/advisory/typo3-core-sa-2024-009)","aliases":[{"alias":"CVE-2024-34357"},{"alias":"GHSA-hw6c-6gwq-3m3m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81272?format=json","purl":"pkg:composer/typo3/cms-core@11.5.37","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.37"},{"url":"http://public2.vulnerablecode.io/api/packages/81273?format=json","purl":"pkg:composer/typo3/cms-core@12.4.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15"},{"url":"http://public2.vulnerablecode.io/api/packages/81274?format=json","purl":"pkg:composer/typo3/cms-core@13.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56073?format=json","purl":"pkg:composer/typo3/cms-core@9.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1knh-es99-dubw"},{"vulnerability":"VCID-1prg-c74k-37ec"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-23ss-xwrm-1qcu"},{"vulnerability":"VCID-2m67-xdxz-ryc2"},{"vulnerability":"VCID-2rhr-8vaz-hqfj"},{"vulnerability":"VCID-3ebd-765h-j3g7"},{"vulnerability":"VCID-3hta-35zx-zuc4"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-4q6d-bd3h-t7f4"},{"vulnerability":"VCID-4rfq-u488-sbh5"},{"vulnerability":"VCID-51k2-j834-pffb"},{"vulnerability":"VCID-5nq2-nchj-fkc8"},{"vulnerability":"VCID-5ync-ktk5-23gh"},{"vulnerability":"VCID-6ffw-r4k7-5qf8"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6q7t-kdrg-8qc3"},{"vulnerability":"VCID-6rgp-dzw1-kycx"},{"vulnerability":"VCID-78ff-k66z-bkh7"},{"vulnerability":"VCID-7ch1-q9f4-a7bt"},{"vulnerability":"VCID-7r4g-gxc6-hubh"},{"vulnerability":"VCID-7snt-7hyt-1fbx"},{"vulnerability":"VCID-8216-asqx-f7eb"},{"vulnerability":"VCID-82ds-xda8-5ye4"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-87ej-qn3k-t3dy"},{"vulnerability":"VCID-8sek-v483-8ueu"},{"vulnerability":"VCID-8w4e-d49b-nbg8"},{"vulnerability":"VCID-9mpc-hjjh-u3d2"},{"vulnerability":"VCID-a1g9-pyz5-9fca"},{"vulnerability":"VCID-an3r-c2yp-1bbd"},{"vulnerability":"VCID-bbh5-rss8-bfct"},{"vulnerability":"VCID-bzqv-s7g3-wff9"},{"vulnerability":"VCID-cf9m-qdyj-eyav"},{"vulnerability":"VCID-cgny-nmk3-4fcd"},{"vulnerability":"VCID-cq82-qt6v-dfhz"},{"vulnerability":"VCID-cv9x-ea8e-pufu"},{"vulnerability":"VCID-daz8-j1ns-rkgt"},{"vulnerability":"VCID-dzrt-8tny-kbcy"},{"vulnerability":"VCID-e6zr-4bgg-kkh5"},{"vulnerability":"VCID-e8ze-umec-a7hx"},{"vulnerability":"VCID-e9jc-8mpp-fkgh"},{"vulnerability":"VCID-efrn-3w2z-xyaf"},{"vulnerability":"VCID-eq57-btkt-hug8"},{"vulnerability":"VCID-etcc-43a3-a7ek"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-f9pk-cwyr-a7cv"},{"vulnerability":"VCID-fgkd-jp96-cbcs"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-g3t9-1yx2-6ufd"},{"vulnerability":"VCID-gemf-j9uj-jka1"},{"vulnerability":"VCID-gvag-nxmd-s7d1"},{"vulnerability":"VCID-hfcx-1kuh-p3ez"},{"vulnerability":"VCID-hnyk-614g-yuhy"},{"vulnerability":"VCID-hr6r-88m3-9udv"},{"vulnerability":"VCID-j8hk-bqnb-gycp"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-k8r2-2ak8-qkak"},{"vulnerability":"VCID-ke39-846j-kbh3"},{"vulnerability":"VCID-myhc-dyh9-xygg"},{"vulnerability":"VCID-n1gz-y615-cbbk"},{"vulnerability":"VCID-n56h-zuzr-ruhf"},{"vulnerability":"VCID-nyw8-q5ef-2fcv"},{"vulnerability":"VCID-pwh8-c992-vqav"},{"vulnerability":"VCID-qr1u-kcn9-cuf6"},{"vulnerability":"VCID-qtyt-338b-ayay"},{"vulnerability":"VCID-qxab-9uwr-yqhv"},{"vulnerability":"VCID-rzx5-nv6h-qqhg"},{"vulnerability":"VCID-sdjb-gp4t-vbgt"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-uaf3-fyst-u7gm"},{"vulnerability":"VCID-uhrk-ad4f-nqgh"},{"vulnerability":"VCID-uncp-sa58-ufdd"},{"vulnerability":"VCID-uq77-aax5-k7d8"},{"vulnerability":"VCID-uua1-9rt1-dfbz"},{"vulnerability":"VCID-v7b1-x8hy-2kcg"},{"vulnerability":"VCID-w94g-xxea-23fb"},{"vulnerability":"VCID-wm4a-hcvt-vkbk"},{"vulnerability":"VCID-x3n3-tsjh-8kby"},{"vulnerability":"VCID-x5jb-yj3d-qbdf"},{"vulnerability":"VCID-y3zj-acc7-jkau"},{"vulnerability":"VCID-yf3d-yyzq-guh1"},{"vulnerability":"VCID-ygw1-vqxg-z3h3"},{"vulnerability":"VCID-z2bk-m2kw-h3c9"},{"vulnerability":"VCID-z718-97ez-r7g3"},{"vulnerability":"VCID-zbm9-cx69-wqg3"},{"vulnerability":"VCID-zeut-9wfp-q7et"},{"vulnerability":"VCID-zhcb-h8ph-7uhk"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/58460?format=json","purl":"pkg:composer/typo3/cms-core@10.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-1sfk-z8py-ykb8"},{"vulnerability":"VCID-2rhr-8vaz-hqfj"},{"vulnerability":"VCID-2tz2-8qdm-2kcv"},{"vulnerability":"VCID-3hta-35zx-zuc4"},{"vulnerability":"VCID-4an7-9ph4-mkd4"},{"vulnerability":"VCID-4rfq-u488-sbh5"},{"vulnerability":"VCID-6a22-c7x5-sqe2"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-78ff-k66z-bkh7"},{"vulnerability":"VCID-7r4g-gxc6-hubh"},{"vulnerability":"VCID-7snt-7hyt-1fbx"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-8w4e-d49b-nbg8"},{"vulnerability":"VCID-9tpm-8udy-c3cd"},{"vulnerability":"VCID-a1g9-pyz5-9fca"},{"vulnerability":"VCID-an3r-c2yp-1bbd"},{"vulnerability":"VCID-bbh5-rss8-bfct"},{"vulnerability":"VCID-bzqv-s7g3-wff9"},{"vulnerability":"VCID-e6zr-4bgg-kkh5"},{"vulnerability":"VCID-etcc-43a3-a7ek"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fgkd-jp96-cbcs"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-gxsd-4nd9-gqgn"},{"vulnerability":"VCID-j8hk-bqnb-gycp"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-myhc-dyh9-xygg"},{"vulnerability":"VCID-n1gz-y615-cbbk"},{"vulnerability":"VCID-r3az-g422-gqf9"},{"vulnerability":"VCID-rzx5-nv6h-qqhg"},{"vulnerability":"VCID-sdjb-gp4t-vbgt"},{"vulnerability":"VCID-tgyt-axv1-c7ag"},{"vulnerability":"VCID-uq77-aax5-k7d8"},{"vulnerability":"VCID-uua1-9rt1-dfbz"},{"vulnerability":"VCID-w94g-xxea-23fb"},{"vulnerability":"VCID-x3n3-tsjh-8kby"},{"vulnerability":"VCID-y3zj-acc7-jkau"},{"vulnerability":"VCID-ygw1-vqxg-z3h3"},{"vulnerability":"VCID-zkvq-bms4-gfcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/58462?format=json","purl":"pkg:composer/typo3/cms-core@11.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-2rhr-8vaz-hqfj"},{"vulnerability":"VCID-3hta-35zx-zuc4"},{"vulnerability":"VCID-6a22-c7x5-sqe2"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-7r4g-gxc6-hubh"},{"vulnerability":"VCID-7snt-7hyt-1fbx"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-9tpm-8udy-c3cd"},{"vulnerability":"VCID-a1g9-pyz5-9fca"},{"vulnerability":"VCID-an3r-c2yp-1bbd"},{"vulnerability":"VCID-bzqv-s7g3-wff9"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-etcc-43a3-a7ek"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fgkd-jp96-cbcs"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-fsx8-7qjz-2ubw"},{"vulnerability":"VCID-gxsd-4nd9-gqgn"},{"vulnerability":"VCID-j8hk-bqnb-gycp"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"},{"vulnerability":"VCID-myhc-dyh9-xygg"},{"vulnerability":"VCID-p3nb-urds-euf3"},{"vulnerability":"VCID-rzx5-nv6h-qqhg"},{"vulnerability":"VCID-sdjb-gp4t-vbgt"},{"vulnerability":"VCID-uq77-aax5-k7d8"},{"vulnerability":"VCID-uua1-9rt1-dfbz"},{"vulnerability":"VCID-w94g-xxea-23fb"},{"vulnerability":"VCID-x3n3-tsjh-8kby"},{"vulnerability":"VCID-y3zj-acc7-jkau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/63852?format=json","purl":"pkg:composer/typo3/cms-core@12.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3hta-35zx-zuc4"},{"vulnerability":"VCID-5e9k-tfy9-ufcx"},{"vulnerability":"VCID-6a22-c7x5-sqe2"},{"vulnerability":"VCID-7r4g-gxc6-hubh"},{"vulnerability":"VCID-7snt-7hyt-1fbx"},{"vulnerability":"VCID-9tpm-8udy-c3cd"},{"vulnerability":"VCID-an3r-c2yp-1bbd"},{"vulnerability":"VCID-bzqv-s7g3-wff9"},{"vulnerability":"VCID-etcc-43a3-a7ek"},{"vulnerability":"VCID-fgkd-jp96-cbcs"},{"vulnerability":"VCID-gxsd-4nd9-gqgn"},{"vulnerability":"VCID-myhc-dyh9-xygg"},{"vulnerability":"VCID-p3nb-urds-euf3"},{"vulnerability":"VCID-rzx5-nv6h-qqhg"},{"vulnerability":"VCID-uua1-9rt1-dfbz"},{"vulnerability":"VCID-w94g-xxea-23fb"},{"vulnerability":"VCID-x3n3-tsjh-8kby"},{"vulnerability":"VCID-y3zj-acc7-jkau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68933?format=json","purl":"pkg:composer/typo3/cms-core@13.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3hta-35zx-zuc4"},{"vulnerability":"VCID-5e9k-tfy9-ufcx"},{"vulnerability":"VCID-7r4g-gxc6-hubh"},{"vulnerability":"VCID-7snt-7hyt-1fbx"},{"vulnerability":"VCID-9tpm-8udy-c3cd"},{"vulnerability":"VCID-an3r-c2yp-1bbd"},{"vulnerability":"VCID-c91z-btmf-87dz"},{"vulnerability":"VCID-etcc-43a3-a7ek"},{"vulnerability":"VCID-fgkd-jp96-cbcs"},{"vulnerability":"VCID-myhc-dyh9-xygg"},{"vulnerability":"VCID-p3nb-urds-euf3"},{"vulnerability":"VCID-rzx5-nv6h-qqhg"},{"vulnerability":"VCID-uua1-9rt1-dfbz"},{"vulnerability":"VCID-uw3m-2f4s-s3fj"},{"vulnerability":"VCID-w94g-xxea-23fb"},{"vulnerability":"VCID-x3n3-tsjh-8kby"},{"vulnerability":"VCID-y3zj-acc7-jkau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.0"}],"references":[{"reference_url":"https://github.com/TYPO3/typo3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3"},{"reference_url":"https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7"},{"reference_url":"https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee"},{"reference_url":"https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2024-009","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2024-009"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34357","reference_id":"CVE-2024-34357","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34357"},{"reference_url":"https://github.com/advisories/GHSA-hw6c-6gwq-3m3m","reference_id":"GHSA-hw6c-6gwq-3m3m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hw6c-6gwq-3m3m"},{"reference_url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m","reference_id":"GHSA-hw6c-6gwq-3m3m","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m"}],"weaknesses":[{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rzx5-nv6h-qqhg"}