PT-2020-16346 · Typo3 · Typo3 Fluid

Jonas Eberle

+1

·

Published

2020-11-17

·

Updated

2020-12-02

·

CVE-2020-26216

CVSS v3.1

8.0

High

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions TYPO3 Fluid versions prior to 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11, and 2.6.10
Description The issue concerns Cross-Site Scripting (XSS) vulnerabilities in TYPO3 Fluid. Three XSS vulnerabilities have been detected:
  1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML.
  2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format.
  3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format.
Recommendations Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11, or 2.6.10 of the typo3fluid/fluid package to fix the problem described. For custom ViewHelpers which use CompileWithContentArgumentAndRenderStatic, consider passing a 6th argument with value false to the call to registerArgument to explicitly disable escaping of the argument value, but be aware that this constitutes a potential security issue. As a temporary workaround, consider using f:format.raw to intentionally disable escaping for variables containing HTML, but note that this also constitutes a potential security issue for which the template author is solely responsible.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-26216
GHSA-HPJM-3WW5-6CPF

Affected Products

Typo3 Fluid