EPSS
Percentile
50.1%
typo3/fluid is vulnerable to cross-site scripting (XSS). An attacker is able to inject and execute malicious script in a user’s browser via 1) additionalAttributes arrays 2) ViewHelpers 3) Subclasses of AbstractConditionViewHelper.
additionalAttributes
ViewHelpers
AbstractConditionViewHelper
github.com/TYPO3/Fluid/commit/0d8f96d604a4a68a94c5d126a897ddef53b2a62f
github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc
github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf
typo3.org/security/advisory/typo3-core-sa-2020-009