Sinan Sekerci

**Name of the Vulnerable Software and Affected Versions** TYPO3 Fluid versions prior to 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11, and 2.6.10 **Description** The issue concerns Cross-Site Scripting (XSS) vulnerabilities in TYPO3 Fluid. Three XSS vulnerabilities have been detected: 1. `TagBasedViewHelper` allowed XSS through maliciously crafted `additionalAttributes` arrays by creating keys with attribute-closing quotes followed by HTML. 2. `ViewHelpers` which used the `CompileWithContentArgumentAndRenderStatic` trait, and which declared `escapeOutput = false`, would receive the content argument in unescaped format. 3. Subclasses of `AbstractConditionViewHelper` would receive the `then` and `else` arguments in unescaped format. **Recommendations** Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11, or 2.6.10 of the `typo3fluid/fluid` package to fix the problem described. For custom `ViewHelpers` which use `CompileWithContentArgumentAndRenderStatic`, consider passing a 6th argument with value `false` to the call to `registerArgument` to explicitly disable escaping of the argument value, but be aware that this constitutes a potential security issue. As a temporary workaround, consider using `f:format.raw` to intentionally disable escaping for variables containing HTML, but note that this also constitutes a potential security issue for which the template author is solely responsible.