{"id":"CVE-2024-34356","summary":"TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module","details":"TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1 fix the problem described.","aliases":["GHSA-v6mw-h7w6-59w3"],"modified":"2026-04-10T05:12:54.116803Z","published":"2024-05-14T14:05:19.851Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34356.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34356.json"},{"type":"ADVISORY","url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-v6mw-h7w6-59w3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34356"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-core-sa-2024-008"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/2832e2f51f929aeddb5de7d667538a33ceda8156"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/d0393a879a32fb4e3569acad6bdb5cda776be1e5"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/e95a1224719efafb9cab2d85964f240fd0356e64"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"6a5e2d4097ef0a0e3ea955af93cf83810d6fa234"},{"fixed":"8c01ea0cd9f5ecd3003d46c5fae521784d619a73"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"11.5.37"}]}},{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"85cb1b09b03366d4cf690064d9f2afb013b27c82"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"fixed":"12.4.15"}]}},{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"dbe306ed9ddeda3c56f78ba919a8f8b4642dd6a4"}],"database_specific":{"versions":[{"introduced":"13.0.0"},{"fixed":"13.1.1"}]}}],"versions":["v11.0.0","v11.1.0","v11.2.0","v11.3.0","v11.4.0","v11.5.0","v11.5.1","v11.5.10","v11.5.11","v11.5.12","v11.5.13","v11.5.14","v11.5.15","v11.5.16","v11.5.17","v11.5.18","v11.5.19","v11.5.2","v11.5.20","v11.5.21","v11.5.22","v11.5.23","v11.5.24","v11.5.25","v11.5.26","v11.5.27","v11.5.28","v11.5.29","v11.5.3","v11.5.30","v11.5.31","v11.5.32","v11.5.33","v11.5.34","v11.5.35","v11.5.36","v11.5.4","v11.5.5","v11.5.6","v11.5.7","v11.5.8","v11.5.9","v12.0.0","v12.1.0","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34356.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3.cms","events":[{"introduced":"6a5e2d4097ef0a0e3ea955af93cf83810d6fa234"},{"fixed":"8c01ea0cd9f5ecd3003d46c5fae521784d619a73"},{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"85cb1b09b03366d4cf690064d9f2afb013b27c82"},{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"dbe306ed9ddeda3c56f78ba919a8f8b4642dd6a4"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"11.5.37"},{"introduced":"12.0.0"},{"fixed":"12.4.15"},{"introduced":"13.0.0"},{"fixed":"13.1.1"}]}}],"versions":["v11.0.0","v11.1.0","v11.2.0","v11.3.0","v11.4.0","v11.5.0","v11.5.1","v11.5.10","v11.5.11","v11.5.12","v11.5.13","v11.5.14","v11.5.15","v11.5.16","v11.5.17","v11.5.18","v11.5.19","v11.5.2","v11.5.20","v11.5.21","v11.5.22","v11.5.23","v11.5.24","v11.5.25","v11.5.26","v11.5.27","v11.5.28","v11.5.29","v11.5.3","v11.5.30","v11.5.31","v11.5.32","v11.5.33","v11.5.34","v11.5.35","v11.5.36","v11.5.4","v11.5.5","v11.5.6","v11.5.7","v11.5.8","v11.5.9","v12.0.0","v12.1.0","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34356.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}