cbcvebase.
CVE-2020-15241
published 2020-10-08

CVE-2020-15241: TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when…

PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.95%
56.9th percentile
TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
typo3cms>= 8.0.0 < 8.7.258.7.25
typo3cms>= 9.0.0 < 9.5.69.5.6
typo3cms-core>= 8.0.0 < 8.7.258.7.25
typo3cms-core>= 9.0.0 < 9.5.69.5.6
typo3fluid
typo3fluid
typo3fluid
typo3fluid
typo3fluid
typo3fluid
typo3fluid
typo3fluid_engine< 2.0.52.0.5
typo3fluid_engine>= 2.1.0 < 2.1.42.1.4
typo3fluid_engine>= 2.2.0 < 2.2.12.2.1
typo3fluid_engine>= 2.3.0 < 2.3.52.3.5
typo3fluid_engine>= 2.4.0 < 2.4.12.4.1
typo3fluid_engine>= 2.5.0 < 2.5.52.5.5
typo3fluid_engine>= 2.6.0 < 2.6.12.6.1
typo3typo3
typo3typo3
typo3fluidfluid>= 2.0.0 < 2.0.52.0.5
typo3fluidfluid>= 2.1.0 < 2.1.42.1.4
typo3fluidfluid>= 2.2.0 < 2.2.12.2.1
typo3fluidfluid>= 2.3.0 < 2.3.52.3.5
typo3fluidfluid>= 2.4.0 < 2.4.12.4.1

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.