MEDIUM 6.1
GHSA-22q7-cg4r-p9mx
TYPO3 Cross-Site Scripting in Fluid ViewHelpers
Details
Failing to properly encode user input, templates using built-in Fluid ViewHelpers are vulnerable to cross-site scripting.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / typo3/cms-fluid
Introduced in:
8.0.0 Fixed in: 8.7.23 Fix
composer require typo3/cms-fluid:^8.7.23 Packagist / typo3/cms-fluid
Introduced in:
9.0.0 Fixed in: 9.5.4 Fix
composer require typo3/cms-fluid:^9.5.4 References
- https://github.com/TYPO3-CMS/fluid/commit/1a65dcc4a8f17f61a8055c0fd46c324c44c9980d [WEB]
- https://github.com/TYPO3-CMS/fluid/commit/a40f468d1534a68cfce91ce2a8e2a1ff81db5cf5 [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-01-22-4.yaml [WEB]
- https://github.com/TYPO3-CMS/fluid [PACKAGE]
- https://github.com/TYPO3-CMS/fluid/compare/v8.7.22...v8.7.23 [WEB]
- https://github.com/TYPO3-CMS/fluid/compare/v9.5.3...v9.5.4 [WEB]
- https://typo3.org/security/advisory/typo3-core-sa-2019-005 [WEB]