CVE-2020-15241 — Open Redirect in Fluid Engine

CWE-601 — Open Redirect CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

CNA4.7

EPSS

0.3%

top 43.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Fluid Engine Typo3 CMS Typo3 Cms-core +3 more

Timeline

PublishedOct 8

Description

TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages6 packages

▶NVDtypo3/fluid_engine2.1.0 — 2.1.4+6

▶Packagisttypo3fluid/fluid2.0.0 — 2.0.5+6

▶CVEListV5typo3/fluid7 versions+6

▶Packagisttypo3/cms8.0.0 — 8.7.25+1

▶Packagisttypo3/cms-core8.0.0 — 8.7.25+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Cross-Site Scripting in TYPO3 Fluid Engine↗2020-10-08

▶

OSV

Cross-Site Scripting in ternary conditional operator↗2020-10-08

▶

GHSA

Cross-Site Scripting in ternary conditional operator↗2020-10-08

▶