CVE-2020-15241
Cross-Site Scripting in TYPO3 Fluid Engine
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).
TYPO3 Fluid Engine (paquete "ypo3fluid/fluid") versiones anteriores a 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 o 2.6.1, es susceptible a una vulnerabilidad de tipo cross-site scripting cuando se utiliza el operador condicional ternario en plantillas como "{showFullName ? fullName : defaultValue}". Las versiones actualizadas de este paquete tambiƩn se incluyen en las siguientes versiones de TYPO3 ("typo3/cms-core"): TYPO3 v8.7.25 (usando "typo3fluid/fluid" v2.5.4) y TYPO3 v9.5.6 (usando "typo3fluid/fluid" v2.6.1)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-10-08 CVE Published
- 2024-06-25 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47 | 2024-08-04 | |
| https://typo3.org/security/advisory/typo3-core-sa-2019-013 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d | 2021-11-18 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Typo3 Search vendor "Typo3" | Fluid Engine Search vendor "Typo3" for product "Fluid Engine" | < 2.0.5 Search vendor "Typo3" for product "Fluid Engine" and version " < 2.0.5" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Fluid Engine Search vendor "Typo3" for product "Fluid Engine" | >= 2.1.0 < 2.1.4 Search vendor "Typo3" for product "Fluid Engine" and version " >= 2.1.0 < 2.1.4" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Fluid Engine Search vendor "Typo3" for product "Fluid Engine" | >= 2.2.0 < 2.2.1 Search vendor "Typo3" for product "Fluid Engine" and version " >= 2.2.0 < 2.2.1" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Fluid Engine Search vendor "Typo3" for product "Fluid Engine" | >= 2.3.0 < 2.3.5 Search vendor "Typo3" for product "Fluid Engine" and version " >= 2.3.0 < 2.3.5" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Fluid Engine Search vendor "Typo3" for product "Fluid Engine" | >= 2.4.0 < 2.4.1 Search vendor "Typo3" for product "Fluid Engine" and version " >= 2.4.0 < 2.4.1" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Fluid Engine Search vendor "Typo3" for product "Fluid Engine" | >= 2.5.0 < 2.5.5 Search vendor "Typo3" for product "Fluid Engine" and version " >= 2.5.0 < 2.5.5" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Fluid Engine Search vendor "Typo3" for product "Fluid Engine" | >= 2.6.0 < 2.6.1 Search vendor "Typo3" for product "Fluid Engine" and version " >= 2.6.0 < 2.6.1" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Typo3 Search vendor "Typo3" for product "Typo3" | 8.7.25 Search vendor "Typo3" for product "Typo3" and version "8.7.25" | - |
Affected
| ||||||
| Typo3 Search vendor "Typo3" | Typo3 Search vendor "Typo3" for product "Typo3" | 9.5.6 Search vendor "Typo3" for product "Typo3" and version "9.5.6" | - |
Affected
| ||||||