Miggo Logo
Miggo Vulnerability Database
CVE-2024-34356

CVE-2024-34356:
TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-34356
GHSA ID
GHSA-v6mw-h7w6-59w3
EPSS Score
0.24443%
CWE
CWE-79
Published
5/14/2024
Updated
5/14/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 9.0.0, <= 9.5.479.5.48
typo3/cms-corecomposer>= 10.0.0, <= 10.4.4410.4.45
typo3/cms-corecomposer>= 11.0.0, <= 11.5.3611.5.37
typo3/cms-corecomposer>= 12.0.0, <= 12.4.1412.4.15
typo3/cms-corecomposer>= 13.0.0, <= 13.1.013.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) Insecure HTML generation in Form Manager's reference display logic where user-controlled values (form names, record data) were concatenated into DOM elements without HTML entity encoding. 2) Missing input sanitization when persisting form data, allowing XSS payloads to be stored. The patch explicitly adds SecurityUtility.encodeHtml() calls in the TypeScript/JavaScript view layer and ArrayUtility::stripTagsFromValuesRecursive in PHP controller actions to address these vectors. The functions identified directly handled untrusted data without these protections in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Pro*l*m T** *orm m*n***r ***k*n* mo*ul* is vuln*r**l* to *ross-sit* s*riptin*. *xploitin* t*is vuln*r**ility r*quir*s * v*li* ***k*n* us*r ***ount wit* ****ss to t** *orm mo*ul*. ### Solution Up**t* to TYPO* v*rsions *.*.** *LTS, **.*.** *LTS, *

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) Ins**ur* *TML **n*r*tion in *orm M*n***r's r***r*n** *ispl*y lo*i* w**r* us*r-*ontroll** v*lu*s (*orm n*m*s, r**or* **t*) w*r* *on**t*n*t** into *OM *l*m*nts wit*out *TML *ntity *n*o*in*. *) Missin* inp