CVE-2020-26216Cross-site Scripting in Fluid

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
CNA8.0
EPSS
0.6%
top 30.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Typo3 FluidTypo3fluid Fluid
Timeline
PublishedNov 17
Latest updateNov 18

Description

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared es

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

Packagisttypo3fluid/fluid2.0.02.0.8+6
NVDtypo3/fluid2.1.02.1.7+6
CVEListV5typo3/fluid7 versions+6

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Cross-Site Scripting through Fluid view helper arguments2020-11-18
OSV
Cross-Site Scripting through Fluid view helper arguments2020-11-18
CVEList
Cross-Site Scripting in TYPO3 Fluid2020-11-17
CVE-2020-26216 — Cross-site Scripting in Typo3 Fluid | cvebase