CVE-2020-15241

MEDIUM

TYPO3 Fluid Engine <2.0.5-2.6.1 - XSS

Title source: llm

Description

TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47

Patch, Third Party Advisory x_refsource_misc

https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d

View Patch ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://typo3.org/security/advisory/typo3-core-sa-2019-013

Scores

CVSS v3 4.7

EPSS 0.0034

EPSS Percentile 56.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-601 CWE-79

Status published

Products (6)

typo3/cms 8.0.0 - 8.7.25Packagist

typo3/cms-core 8.0.0 - 8.7.25Packagist

typo3/fluid_engine < 2.0.5

typo3/typo3 8.7.25

typo3/typo3 9.5.6

typo3fluid/fluid 2.0.0 - 2.0.5Packagist

Published Oct 08, 2020

Tracked Since Feb 18, 2026