- Component Type: TYPO3 CMS
- Subcomponent: Frontend Rendering (ext:frontend)
- Release Date: May 14, 2024
- Vulnerability Type: Denial of Service
- Affected Versions: 9.0.0-9.5.47, 10.0.0-10.4.44, 11.0.0-11.5.36, 12.0.0-12.4.14, 13.0.0-13.1.0
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
- References: CVE-2024-34358, CWE-347, CWE-400
Problem Description
The ShowImageController (eID tx_cms_showpic) lacks a cryptographic HMAC-signature on the frame HTTP query parameter (e.g. /index.php?eID=tx_cms_showpic?file=3&...&frame=12345).
This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side.
Solution
Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described.
Strong security defaults - Manual actions required
The frame HTTP query parameter is now ignored, since it could not be used by core APIs.
The new feature flag security.frontend.allowInsecureFrameOptionInShowImageController – which is disabled per default – can be used to reactivate the previous behavior.
Credits
Thanks to TYPO3 security team member Torben Hansen who reported this issue and to TYPO3 core & security team members Benjamin Mack and Benjamin Franzke who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security-related code changes are tagged so you can easily look them up in our review system.