CVE-2020-26216 – Cross-Site Scripting in TYPO3 Fluid

https://notcve.org/view.php?id=CVE-2020-26216

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. • https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf https://typo3.org/security/advisory/typo3-core-sa-2020-009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •