TYPO3 v13.0.0-13.1.1: History Backend Module HTML Injection
CVE-2024-34355 Published on May 14, 2024

TYPO3 vulnerable to an HTML Injection in the History Module
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described.

Github Repository NVD

Vulnerability Analysis

CVE-2024-34355 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Types

What is an Output Sanitization Vulnerability?

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVE-2024-34355 has been classified to as an Output Sanitization vulnerability or weakness.

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2024-34355 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2024-34355

Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.

TYPO3
 

Affected Versions

typo3 Version >= 13.0.0, < 13.1.1 is affected by CVE-2024-34355

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-34355

Package Manager Vulnerable Package Versions Fixed In
composer typo3/cms-core >= 13.0.0, <= 13.1.0 13.1.1

Exploit Probability

EPSS
0.62%
Percentile
69.65%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.