{"id":"CVE-2024-34358","summary":"TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController","details":"TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.","aliases":["GHSA-36g8-62qv-5957"],"modified":"2026-04-10T05:12:54.094265Z","published":"2024-05-14T14:26:36.422Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34358.json","cwe_ids":["CWE-200","CWE-347"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34358.json"},{"type":"ADVISORY","url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34358"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-core-sa-2024-010"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"6a5e2d4097ef0a0e3ea955af93cf83810d6fa234"},{"fixed":"8c01ea0cd9f5ecd3003d46c5fae521784d619a73"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"11.5.37"}]}},{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"85cb1b09b03366d4cf690064d9f2afb013b27c82"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"fixed":"12.4.15"}]}},{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"dbe306ed9ddeda3c56f78ba919a8f8b4642dd6a4"}],"database_specific":{"versions":[{"introduced":"13.0.0"},{"fixed":"13.1.1"}]}}],"versions":["v11.0.0","v11.1.0","v11.2.0","v11.3.0","v11.4.0","v11.5.0","v11.5.1","v11.5.10","v11.5.11","v11.5.12","v11.5.13","v11.5.14","v11.5.15","v11.5.16","v11.5.17","v11.5.18","v11.5.19","v11.5.2","v11.5.20","v11.5.21","v11.5.22","v11.5.23","v11.5.24","v11.5.25","v11.5.26","v11.5.27","v11.5.28","v11.5.29","v11.5.3","v11.5.30","v11.5.31","v11.5.32","v11.5.33","v11.5.34","v11.5.35","v11.5.36","v11.5.4","v11.5.5","v11.5.6","v11.5.7","v11.5.8","v11.5.9","v12.0.0","v12.1.0","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34358.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3.cms","events":[{"introduced":"6a5e2d4097ef0a0e3ea955af93cf83810d6fa234"},{"fixed":"8c01ea0cd9f5ecd3003d46c5fae521784d619a73"},{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"85cb1b09b03366d4cf690064d9f2afb013b27c82"},{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"dbe306ed9ddeda3c56f78ba919a8f8b4642dd6a4"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"11.5.37"},{"introduced":"12.0.0"},{"fixed":"12.4.15"},{"introduced":"13.0.0"},{"fixed":"13.1.1"}]}}],"versions":["v11.0.0","v11.1.0","v11.2.0","v11.3.0","v11.4.0","v11.5.0","v11.5.1","v11.5.10","v11.5.11","v11.5.12","v11.5.13","v11.5.14","v11.5.15","v11.5.16","v11.5.17","v11.5.18","v11.5.19","v11.5.2","v11.5.20","v11.5.21","v11.5.22","v11.5.23","v11.5.24","v11.5.25","v11.5.26","v11.5.27","v11.5.28","v11.5.29","v11.5.3","v11.5.30","v11.5.31","v11.5.32","v11.5.33","v11.5.34","v11.5.35","v11.5.36","v11.5.4","v11.5.5","v11.5.6","v11.5.7","v11.5.8","v11.5.9","v12.0.0","v12.1.0","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34358.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}