CVE-2020-26227

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 9.5.23 TYPO3 versions prior to 10.4.10

Description The system extension Fluid of the TYPO3 core is vulnerable to cross-site scripting when passing user-controlled data as an argument to Fluid view helpers. This issue affects the typo3/cms-fluid extension. The estimated number of potentially affected devices worldwide is not specified.

Technical details about exploitation include passing user-controlled data to Fluid view helpers, such as in the following examples: <f:form ... fieldNamePrefix="{payload}" />, <f:be.labels.csh ... label="{payload}" />, <f:be.menus.actionMenu ... label="{payload}" />. The payload variable is user-controlled and can be used to inject malicious code.

Recommendations Update to TYPO3 version 9.5.23 or later. Update to TYPO3 version 10.4.10 or later. As a temporary workaround, consider restricting the use of the typo3/cms-fluid extension until a patch is applied. Avoid using user-controlled data as arguments to Fluid view helpers until the issue is resolved.