CVE-2024-34537: Denial of Service in TYPO3 Bookmark Toolbar

October 8, 2024 (updated October 31, 2024)

Problem

Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account.

Solution

Update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described.

Credits

Thanks to Hendrik Eichner who reported this issue and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.

References

TYPO3-CORE-SA-2024-011

References

github.com/TYPO3-CMS/backend
github.com/TYPO3/typo3/security/advisories/GHSA-ffcv-v6pw-qhrp
github.com/advisories/GHSA-ffcv-v6pw-qhrp
nvd.nist.gov/vuln/detail/CVE-2024-34537
typo3.org/security/advisory/typo3-core-sa-2024-011
www.mgm-sp.com/cve/denial-of-service-in-typo3-bookmark-toolbar

Code Behaviors & Features

Detect and mitigate CVE-2024-34537 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →