CVE-2024-34537: 
PHP vulnerability analysis and mitigation

TYPO3 before version 13.3.1 contains a denial of service vulnerability (CVE-2024-34537) in the Bookmark Toolbar (ext:backend) component. The vulnerability was discovered and disclosed on October 8, 2024, affecting TYPO3 versions 10.0.0-10.4.45, 11.0.0-11.5.39, 12.0.0-12.4.20, and 13.0.0-13.3.0 (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from insufficient input validation in the bookmark toolbar of the backend user interface. When manipulated data is saved in the bookmark toolbar, it causes a general error state that blocks further access to the interface. The attack involves modifying the arguments parameter with an invalid value, particularly when using the routeIdentifier=record_edit functionality. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (NVD, MGM Security).

When exploited, this vulnerability results in the TYPO3 backend becoming completely inaccessible to all users. Since admin users have the ability to define bookmarks globally, a successful attack affects all users of the system. The backend remains unusable until the malicious entry is manually corrected in the database (MGM Security).

The vulnerability has been fixed in TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, and 13.3.1. Users are strongly advised to update to these patched versions to resolve the security issue. If the system is already affected, the incorrect database entry must be manually corrected to restore the application's functionality (TYPO3 Advisory).