CVE-2024-34355 — Cross-site Scripting in Typo3
Severity
5.4MEDIUMNVD
CNA3.5
EPSS
0.6%
top 30.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 14
Description
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7