#VU89504 Resource exhaustion in TYPO3 - CVE-2024-34358

Cybersecurity Help s.r.o.

Published: 2024-05-15

Vulnerability identifier: #VU89504

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34358

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TYPO3
Web applications / CMS

Vendor: TYPO3

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in ShowImageController. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TYPO3: 9.0.0 - 9.5.47, 10.0.0 - 13.1.0

External links
https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957
https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14
https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5
https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142
https://typo3.org/security/advisory/typo3-core-sa-2024-010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in TYPO3