Cross site scripting

2020-10-0821:15:00

PRIOn knowledge base

www.prio-n.com

0.001 Low

EPSS

Percentile

45.9%

JSON

TYPO3 Fluid Engine (package typo3fluid/fluid) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like {showFullName ? fullName : defaultValue}. Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) versions as well: TYPO3 v8.7.25 (using typo3fluid/fluid v2.5.4) and TYPO3 v9.5.6 (using typo3fluid/fluid v2.6.1).

CPENameOperatorVersion
fluid_enginege2.6.0
fluid_enginelt2.6.1
fluid_enginege2.5.0
fluid_enginelt2.5.5
fluid_enginege2.4.0
fluid_enginelt2.4.1
fluid_enginege2.3.0
fluid_enginelt2.3.5
fluid_enginege2.2.0
fluid_enginelt2.2.1

Name	Operator	Version
fluid_engine	ge	2.6.0
fluid_engine	lt	2.6.1
fluid_engine	ge	2.5.0
fluid_engine	lt	2.5.5
fluid_engine	ge	2.4.0
fluid_engine	lt	2.4.1
fluid_engine	ge	2.3.0
fluid_engine	lt	2.3.5
fluid_engine	ge	2.2.0
fluid_engine	lt	2.2.1