CVE-2024-34356
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in TYPO3's form manager backend module. It allows authenticated backend users with form module access to inject malicious scripts that could steal session cookies or perform unauthorized actions. Only TYPO3 installations with vulnerable versions and authenticated backend users are affected.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious backend user could steal administrator session cookies, escalate privileges, or perform unauthorized administrative actions within the TYPO3 backend.
Likely Case
Authenticated users with form module access could inject scripts that affect other backend users viewing the same form manager interface, potentially stealing their session data.
If Mitigated
With proper access controls limiting form module access to trusted users only, the impact is minimal as exploitation requires authenticated backend access.
🎯 Exploit Status
Exploitation requires a valid backend user account with access to the form manager module. The vulnerability is in the backend interface, not the frontend.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, or 13.1.1
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2024-008
Restart Required: No
Instructions:
1. Identify your TYPO3 version. 2. Upgrade to the patched version for your branch: 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, or 13.1.1. 3. Apply the upgrade using TYPO3's standard update procedures. 4. Clear all caches after upgrade.
🔧 Temporary Workarounds
Restrict Form Manager Access
allLimit backend user access to the form manager module to only trusted administrators who absolutely need it.
Navigate to TYPO3 backend > Admin Tools > Access > Backend Users > Edit user > Modules tab > Uncheck 'Form' module
Apply Security Patch Manually
allApply the specific commits that fix the XSS vulnerability without full version upgrade.
Apply GitHub commits: 2832e2f51f929aeddb5de7d667538a33ceda8156, d0393a879a32fb4e3569acad6bdb5cda776be1e5, e95a1224719efafb9cab2d85964f240fd0356e64
🧯 If You Can't Patch
- Restrict backend user permissions to minimize who can access the form manager module
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version in backend dashboard or via composer show typo3/cms-core. If version is between affected ranges and form manager is accessible, system is vulnerable.Check Version:
composer show typo3/cms-core | grep versionVerify Fix Applied:
After upgrade, verify version is 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, or 13.1.1. Test form manager functionality works without XSS issues.📡 Detection & Monitoring
Log Indicators:
- Unusual form manager activity from non-admin users
- Multiple failed login attempts followed by form manager access
Network Indicators:
- Suspicious JavaScript payloads in form-related backend requests
SIEM Query:
source="typo3" AND ("form manager" OR "formmodule") AND ("script" OR "javascript" OR "onload" OR "onerror")🔗 References
- https://github.com/TYPO3/typo3/commit/2832e2f51f929aeddb5de7d667538a33ceda8156
- https://github.com/TYPO3/typo3/commit/d0393a879a32fb4e3569acad6bdb5cda776be1e5
- https://github.com/TYPO3/typo3/commit/e95a1224719efafb9cab2d85964f240fd0356e64
- https://github.com/TYPO3/typo3/security/advisories/GHSA-v6mw-h7w6-59w3
- https://typo3.org/security/advisory/typo3-core-sa-2024-008
- https://github.com/TYPO3/typo3/commit/2832e2f51f929aeddb5de7d667538a33ceda8156
- https://github.com/TYPO3/typo3/commit/d0393a879a32fb4e3569acad6bdb5cda776be1e5
- https://github.com/TYPO3/typo3/commit/e95a1224719efafb9cab2d85964f240fd0356e64
- https://github.com/TYPO3/typo3/security/advisories/GHSA-v6mw-h7w6-59w3
- https://typo3.org/security/advisory/typo3-core-sa-2024-008
