VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-b6fq-n6qz-wbgb

Essentials
Severities (22)
References (9)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-b6fq-n6qz-wbgb
Aliases	CVE-2024-34358 GHSA-36g8-62qv-5957
Summary	TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController ### Problem The `ShowImageController` (_eID tx_cms_showpic_) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. #### ℹ️ Strong security defaults - Manual actions required The `frame` HTTP query parameter is now ignored, since it could not be used by core APIs. The new feature flag `security.frontend.allowInsecureFrameOptionInShowImageController` – which is disabled per default – can be used to reactivate the previous behavior. ### Credits Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team members Benjamin Mack and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-010](https://typo3.org/security/advisory/typo3-core-sa-2024-010)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-347	Improper Verification of Cryptographic Signature
CWE-400	Uncontrolled Resource Consumption
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00024	https://api.first.org/data/v1/epss?cve=CVE-2024-34358
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-36g8-62qv-5957
cvssv3.1	5.3	https://github.com/TYPO3/typo3
generic_textual	MODERATE	https://github.com/TYPO3/typo3
cvssv3.1	5.3	https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14
ssvc	Track	https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14
cvssv3.1	5.3	https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5
ssvc	Track	https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5
cvssv3.1	5.3	https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142
ssvc	Track	https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142
cvssv3.1	5.3	https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
cvssv3.1_qr	MODERATE	https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
generic_textual	MODERATE	https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
ssvc	Track	https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2024-34358
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-34358
cvssv3.1	5.3	https://typo3.org/security/advisory/typo3-core-sa-2024-010
generic_textual	MODERATE	https://typo3.org/security/advisory/typo3-core-sa-2024-010
ssvc	Track	https://typo3.org/security/advisory/typo3-core-sa-2024-010

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-34358
		https://github.com/TYPO3/typo3
		https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14
		https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5
		https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142
		https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
		https://nvd.nist.gov/vuln/detail/CVE-2024-34358
		https://typo3.org/security/advisory/typo3-core-sa-2024-010
GHSA-36g8-62qv-5957		https://github.com/advisories/GHSA-36g8-62qv-5957

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/TYPO3/typo3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/ Found at https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/ Found at https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/ Found at https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/ Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-34358

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://typo3.org/security/advisory/typo3-core-sa-2024-010

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/ Found at https://typo3.org/security/advisory/typo3-core-sa-2024-010

Exploit Prediction Scoring System (EPSS)

Percentile	0.04938
EPSS Score	0.00024
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:11:20.809791+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-36g8-62qv-5957/GHSA-36g8-62qv-5957.json	36.1.3