Meta
- CVSS:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C(5.0)
- CWE-79
ℹ️ This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020
Problem
It has been discovered that the Fluid Engine (package typo3fluid/fluid) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following.
{showFullName ? fullName : defaultValue}
Solution
Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this typo3fluid/fluid package that fix the problem described.
Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) releases:
- TYPO3 v8.7.25 (using
typo3fluid/fluid v2.5.5)
- TYPO3 v9.5.6 (using
typo3fluid/fluid v2.6.1)
Credits
Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue.
References
billdagou Analyst
NamelessCoder Analyst
ℹ️ This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020
Problem
It has been discovered that the Fluid Engine (package
typo3fluid/fluid) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following.Solution
Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this
typo3fluid/fluidpackage that fix the problem described.Updated versions of this package are bundled in following TYPO3 (
typo3/cms-core) releases:typo3fluid/fluidv2.5.5)typo3fluid/fluidv2.6.1)Credits
Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue.
References