CVE-2020-15241

Published: Oct 8, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

4.7

MEDIUM

Description

TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).

Vendor	Product	Versions
TYPO3	Fluid	affected `>= 2.0.0, < 2.0.5` affected `>= 2.1.0, < 2.1.4` affected `>= 2.2.0, < 2.2.1` affected `>= 2.3.0, < 2.3.5` affected `>= 2.4.0, < 2.4.1` +2 more versions

Weaknesses (CWE)

CWE-601

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47

x_refsource_CONFIRM

https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d

x_refsource_MISC

https://typo3.org/security/advisory/typo3-core-sa-2019-013

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-15241

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References