Improper Verification of Cryptographic Signature Affecting typo3/cms-core package, versions >=9.0.0, <9.5.48>=10.0.0, <10.4.45>=11.0.0, <11.5.37>=12.0.0, <12.4.15>=13.0.0, <13.1.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-TYPO3CMSCORE-6841724
  • published15 May 2024
  • disclosed14 May 2024
  • creditTorben Hansen

Introduced: 14 May 2024

CVE-2024-34358  (opens in a new tab)
CWE-347  (opens in a new tab)

How to fix?

Upgrade typo3/cms-core to version 9.5.48, 10.4.45, 11.5.37, 12.4.15, 13.1.1 or higher.

Overview

typo3/cms-core is a free open source enterprise content management system.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the lack of a cryptographic HMAC-signature on the frame HTTP query parameter. An attacker can instruct the system to produce an arbitrary number of thumbnail images on the server side by manipulating the frame parameter in the HTTP query.

CVSS Scores

version 3.1