CVE-2024-34355
published 2024-05-14CVE-2024-34355: TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.59%
43.6th percentile
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 13.0.0 < 13.1.1 | 13.1.1 |
| typo3 | typo3 | — | — |
| typo3 | typo3 | >= 13.0.0 < 13.1.1 | 13.1.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TYPO3 vulnerable to an HTML Injection in the History Module
ghsa·2024-05-14
CVE-2024-34355 [LOW] CWE-116 TYPO3 vulnerable to an HTML Injection in the History Module
TYPO3 vulnerable to an HTML Injection in the History Module
### Problem
The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account.
### Solution
Update to TYPO3 version 13.1.1 that fixes the problem described.
### Credits
Thanks to TYPO3 core team member Andreas Kienast who reported this issue and to TYPO3 core & security team Benjamin Franzke who fixed the issue.
### References
* [TYPO3-CORE-SA-2024-007](https://typo3.org/security/advisory/typo3-core-sa-2024-007)
OSV
TYPO3 vulnerable to an HTML Injection in the History Module
osv·2024-05-14
CVE-2024-34355 [LOW] TYPO3 vulnerable to an HTML Injection in the History Module
TYPO3 vulnerable to an HTML Injection in the History Module
### Problem
The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account.
### Solution
Update to TYPO3 version 13.1.1 that fixes the problem described.
### Credits
Thanks to TYPO3 core team member Andreas Kienast who reported this issue and to TYPO3 core & security team Benjamin Franzke who fixed the issue.
### References
* [TYPO3-CORE-SA-2024-007](https://typo3.org/security/advisory/typo3-core-sa-2024-007)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375https://github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jchttps://typo3.org/security/advisory/typo3-core-sa-2024-007https://github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375https://github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jchttps://typo3.org/security/advisory/typo3-core-sa-2024-007
2024-05-14
Published