CVE-2020-26216

HIGH

Typo3 Fluid < 2.0.8 - XSS

Title source: rule
STIX 2.1

Description

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf
Exploit, Vendor Advisory x_refsource_misc
https://typo3.org/security/advisory/typo3-core-sa-2020-009

Scores

CVSS v3 8.0
EPSS 0.0058
EPSS Percentile 69.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-79
Status published
Products (2)
typo3/fluid < 2.0.8
typo3fluid/fluid 2.0.0 - 2.0.8Packagist
Published Nov 17, 2020
Tracked Since Feb 18, 2026