5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34358

GHSA ID

GHSA-36g8-62qv-5957

EPSS Score

0.04975%

CWE

CWE-200

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34358

CVE-2024-34358:
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

Problem

The ShowImageController (eID tx_cms_showpic) lacks a cryptographic HMAC-signature on the frame HTTP query parameter (e.g. /index.php?eID=tx_cms_showpic?file=3&...&frame=12345). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side.

Solution

Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.

ℹ️ Strong security defaults - Manual actions required

The frame HTTP query parameter is now ignored, since it could not be used by core APIs.

The new feature flag security.frontend.allowInsecureFrameOptionInShowImageController – which is disabled per default – can be used to reactivate the previous behavior.

Credits

Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team members Benjamin Mack and Benjamin Franzke who fixed the issue.

References

TYPO3-CORE-SA-2024-010

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34358

GHSA ID

GHSA-36g8-62qv-5957

EPSS Score

0.04975%

CWE

CWE-200

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 9.0.0, <= 9.5.47	9.5.48
typo3/cms-core	composer	>= 10.0.0, <= 10.4.44	10.4.45
typo3/cms-core	composer	>= 11.0.0, <= 11.5.36	11.5.37
typo3/cms-core	composer	>= 12.0.0, <= 12.4.14	12.4.15
typo3/cms-core	composer	>= 13.0.0, <= 13.1.0	13.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the unvalidated 'frame' parameter handling in ShowImageController. The pre-patch code in initialize() retrieved $this->frame from request parameters without HMAC checks (visible in the diff). This lack of signature verification enabled attackers to manipulate the parameter freely. The fix introduced a feature flag guard and validation, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Pro*l*m T** `S*owIm****ontroll*r` (_*I* tx_*ms_s*owpi*_) l**ks * *rypto*r*p*i* *M**-si*n*tur* on t** `*r*m*` *TTP qu*ry p*r*m*t*r (*.*. `/in**x.p*p?*I*=tx_*ms_s*owpi*?*il*=*&...&*r*m*=*****`). T*is *llows **v*rs*ri*s to instru*t t** syst*m to pro

Reasoning

T** vuln*r**ility st*ms *rom t** unv*li**t** '*r*m*' p*r*m*t*r **n*lin* in S*owIm****ontroll*r. T** pr*-p*t** *o** in `initi*liz*()` r*tri*v** $t*is->*r*m* *rom r*qu*st p*r*m*t*rs wit*out *M** ****ks (visi*l* in t** *i**). T*is l**k o* si*n*tur* v*ri

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-34358: TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

Problem

Solution

ℹ️ Strong security defaults - Manual actions required

Credits

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-34358:
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

Vulnerability Intelligence
Miggo AI