TYPO3 ShowImageController HMAC Bypass Unbounded Thumbnail Creation (pre-9.5.48)
CVE-2024-34358 Published on May 14, 2024
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.
Vulnerability Analysis
CVE-2024-34358 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Types
Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2024-34358 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2024-34358
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
typo3:- Version >= 9.0.0, < 9.5.48 is affected.
- Version >= 10.0.0, < 10.4.45 is affected.
- Version >= 11.0.0, < 11.5.37 is affected.
- Version >= 12.0.0, < 12.4.15 is affected.
- Version >= 13.0.0, < 13.1.1 is affected.
- Version 9.0.0 and below 9.5.48 is affected.
- Version 10.0.0 and below 10.4.45 is affected.
- Version 11.0.0 and below 11.5.37 is affected.
- Version 12.0.0 and below 12.4.15 is affected.
- Version 13.0.0 and below 13.1.1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-34358
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | typo3/cms-core | >= 9.0.0, <= 9.5.47 | 9.5.48 |
| composer | typo3/cms-core | >= 10.0.0, <= 10.4.44 | 10.4.45 |
| composer | typo3/cms-core | >= 11.0.0, <= 11.5.36 | 11.5.37 |
| composer | typo3/cms-core | >= 12.0.0, <= 12.4.14 | 12.4.15 |
| composer | typo3/cms-core | >= 13.0.0, <= 13.1.0 | 13.1.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.