VYPR
High severityNVD Advisory· Published Nov 17, 2020· Updated Aug 4, 2024

Cross-Site Scripting in TYPO3 Fluid

CVE-2020-26216

Description

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3fluid/fluidPackagist
>= 2.0.0, < 2.0.82.0.8
typo3fluid/fluidPackagist
>= 2.1.0, < 2.1.72.1.7
typo3fluid/fluidPackagist
>= 2.2.0, < 2.2.42.2.4
typo3fluid/fluidPackagist
>= 2.3.0, < 2.3.72.3.7
typo3fluid/fluidPackagist
>= 2.4.0, < 2.4.42.4.4
typo3fluid/fluidPackagist
>= 2.5.0, < 2.5.112.5.11
typo3fluid/fluidPackagist
>= 2.6.0, < 2.6.102.6.10

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.