Cross-Site Scripting in ternary conditional operator
Package
Affected versions
>= 8.0.0, < 8.7.25
>= 9.0.0, < 9.5.6
Patched versions
8.7.25
9.5.6
>= 2.0.0, < 2.0.5
>= 2.1.0, < 2.1.4
>= 2.2.0, < 2.2.1
>= 2.3.0, < 2.3.5
>= 2.4.0, < 2.4.1
>= 2.5.0, < 2.5.5
>= 2.6.0, < 2.6.1
2.0.5
2.1.4
2.2.1
2.3.5
2.4.1
2.5.5
2.6.1
Description
Reviewed
Oct 8, 2020
Published to the GitHub Advisory Database
Oct 8, 2020
Published by the National Vulnerability Database
Oct 8, 2020
Last updated
Feb 1, 2024
ℹ️ This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020
Problem
It has been discovered that the Fluid Engine (package
typo3fluid/fluid
) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following.Solution
Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this
typo3fluid/fluid
package that fix the problem described.Updated versions of this package are bundled in following TYPO3 (
typo3/cms-core
) releases:typo3fluid/fluid
v2.5.5)typo3fluid/fluid
v2.6.1)Credits
Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue.
References
References