cvelistv5 - cve-2020-26216

CVE-2020-26216 (GCVE-0-2020-26216)

Vulnerability from cvelistv5

Published

2020-11-17 20:45

Modified

2024-08-04 15:49

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.

References

►

URL

Tags

security-advisories@github.com	https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf	Exploit, Third Party Advisory
security-advisories@github.com	https://typo3.org/security/advisory/typo3-core-sa-2020-009	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://typo3.org/security/advisory/typo3-core-sa-2020-009	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	TYPO3	Fluid	Version: >= 2.0.0, < 2.0.8 Version: >= 2.1.0, < 2.1.7 Version: >= 2.2.0, < 2.2.4 Version: >= 2.3.0, < 2.3.7 Version: >= 2.4.0, < 2.4.4 Version: >= 2.5.0, < 2.5.11 Version: >= 2.6.0, < 2.6.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:49:07.226Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Fluid",
          "vendor": "TYPO3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.1.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.2.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.3.0, \u003c 2.3.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.4.0, \u003c 2.4.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.5.0, \u003c 2.5.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.6.0, \u003c 2.6.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-17T20:45:20",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
        }
      ],
      "source": {
        "advisory": "GHSA-hpjm-3ww5-6cpf",
        "discovery": "UNKNOWN"
      },
      "title": "Cross-Site Scripting in TYPO3 Fluid",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26216",
          "STATE": "PUBLIC",
          "TITLE": "Cross-Site Scripting in TYPO3 Fluid"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Fluid",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 2.0.0, \u003c 2.0.8"
                          },
                          {
                            "version_value": "\u003e= 2.1.0, \u003c 2.1.7"
                          },
                          {
                            "version_value": "\u003e= 2.2.0, \u003c 2.2.4"
                          },
                          {
                            "version_value": "\u003e= 2.3.0, \u003c 2.3.7"
                          },
                          {
                            "version_value": "\u003e= 2.4.0, \u003c 2.4.4"
                          },
                          {
                            "version_value": "\u003e= 2.5.0, \u003c 2.5.11"
                          },
                          {
                            "version_value": "\u003e= 2.6.0, \u003c 2.6.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TYPO3"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf",
              "refsource": "CONFIRM",
              "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
            },
            {
              "name": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc",
              "refsource": "MISC",
              "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
            },
            {
              "name": "https://typo3.org/security/advisory/typo3-core-sa-2020-009",
              "refsource": "MISC",
              "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-hpjm-3ww5-6cpf",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26216",
    "datePublished": "2020-11-17T20:45:20",
    "dateReserved": "2020-10-01T00:00:00",
    "dateUpdated": "2024-08-04T15:49:07.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-26216\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-11-17T21:15:12.427\",\"lastModified\":\"2024-11-21T05:19:33.160\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.\"},{\"lang\":\"es\",\"value\":\"TYPO3 Fluid anterior a versiones 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 y 2.6.10, es vulnerable a un ataque de tipo Cross-Site Scripting.\u0026#xa0;Se han detectado tres vulnerabilidades de tipo XSS en Fluid: 1. TagBasedViewHelper permit\u00eda un ataque de tipo XSS por medio de matrices de additionalAttributes creadas maliciosamente mediante la creaci\u00f3n de claves con comillas de cierre de atributos seguidas de HTML.\u0026#xa0;Al representar tales atributos, TagBuilder no escapaba de las claves.\u0026#xa0;2. ViewHelpers que usaba el rasgo CompileWithContentArgumentAndRenderStatic, y que declaraba escapeOutput = false, recibir\u00edan el argumento de contenido en formato sin escape.\u0026#xa0;3. Las subclases de AbstractConditionViewHelper recibir\u00edan los argumentos then y else en formato sin escape.\u0026#xa0;Actualice a las versiones 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 o 2.6.10 de este paquete typo3fluid/fluid que corrige el problema descrito. Mas detalles est\u00e1n disponibles en el aviso vinculado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.0.8\",\"matchCriteriaId\":\"1B363E8D-4ED7-4934-930D-FBB4B6D15DA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.1.7\",\"matchCriteriaId\":\"2E48675B-09B6-456C-8243-D42CFC58257A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.2.4\",\"matchCriteriaId\":\"80CB33A2-8209-40E3-A583-4FE957A4D1BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.3.7\",\"matchCriteriaId\":\"05945C6C-DC02-4046-9CA8-A7DCFE6D3BDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4.0\",\"versionEndExcluding\":\"2.4.4\",\"matchCriteriaId\":\"9A0CE039-0971-4B66-B910-4C4BB99222CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"2.5.11\",\"matchCriteriaId\":\"D0E2C3B5-2ACB-4951-9679-97462A92CFF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.6.10\",\"matchCriteriaId\":\"B127ED9C-10B5-45CD-84C9-F2B673ECF892\"}]}]}],\"references\":[{\"url\":\"https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2020-009\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2020-009\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}

fkie_cve-2020-26216

Vulnerability from fkie_nvd

Published

2020-11-17 21:15

Modified

2024-11-21 05:19

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf	Exploit, Third Party Advisory
security-advisories@github.com	https://typo3.org/security/advisory/typo3-core-sa-2020-009	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://typo3.org/security/advisory/typo3-core-sa-2020-009	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
typo3	fluid	*
typo3	fluid	*
typo3	fluid	*
typo3	fluid	*
typo3	fluid	*
typo3	fluid	*
typo3	fluid	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B363E8D-4ED7-4934-930D-FBB4B6D15DA5",
              "versionEndExcluding": "2.0.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E48675B-09B6-456C-8243-D42CFC58257A",
              "versionEndExcluding": "2.1.7",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "80CB33A2-8209-40E3-A583-4FE957A4D1BC",
              "versionEndExcluding": "2.2.4",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "05945C6C-DC02-4046-9CA8-A7DCFE6D3BDB",
              "versionEndExcluding": "2.3.7",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A0CE039-0971-4B66-B910-4C4BB99222CF",
              "versionEndExcluding": "2.4.4",
              "versionStartIncluding": "2.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0E2C3B5-2ACB-4951-9679-97462A92CFF5",
              "versionEndExcluding": "2.5.11",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B127ED9C-10B5-45CD-84C9-F2B673ECF892",
              "versionEndExcluding": "2.6.10",
              "versionStartIncluding": "2.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory."
    },
    {
      "lang": "es",
      "value": "TYPO3 Fluid anterior a versiones 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 y 2.6.10, es vulnerable a un ataque de tipo Cross-Site Scripting.\u0026#xa0;Se han detectado tres vulnerabilidades de tipo XSS en Fluid: 1. TagBasedViewHelper permit\u00eda un ataque de tipo XSS por medio de matrices de additionalAttributes creadas maliciosamente mediante la creaci\u00f3n de claves con comillas de cierre de atributos seguidas de HTML.\u0026#xa0;Al representar tales atributos, TagBuilder no escapaba de las claves.\u0026#xa0;2. ViewHelpers que usaba el rasgo CompileWithContentArgumentAndRenderStatic, y que declaraba escapeOutput = false, recibir\u00edan el argumento de contenido en formato sin escape.\u0026#xa0;3. Las subclases de AbstractConditionViewHelper recibir\u00edan los argumentos then y else en formato sin escape.\u0026#xa0;Actualice a las versiones 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 o 2.6.10 de este paquete typo3fluid/fluid que corrige el problema descrito. Mas detalles est\u00e1n disponibles en el aviso vinculado"
    }
  ],
  "id": "CVE-2020-26216",
  "lastModified": "2024-11-21T05:19:33.160",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-11-17T21:15:12.427",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-hpjm-3ww5-6cpf

Vulnerability from github

Published

2020-11-18 21:06

Modified

2024-02-07 18:52

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Summary

Cross-Site Scripting through Fluid view helper arguments

Details

Meta

CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (5.7)

CWE-79

Problem

Three XSS vulnerabilities have been detected in Fluid:

TagBasedViewHelper allowed XSS throug maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys.
ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format.
Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format.

Solution

Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described.

Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) releases:

TYPO3 v9.5.23 (using typo3fluid/fluid v2.6.10)
TYPO3 v10.4.10 (using typo3fluid/fluid v2.6.10)

The specific vulnerabilities are prevented by:

Explicitly escaping keys found in the additionalAttributes array passed to a TagBasedViewHelper before using them as attribute names.
Detecting "content argument" on ViewHelpers using the trait CompileWithContentArgumentAndRenderStatic and escaping it based on the state of escapeChildren when escapeOutput is toggled off. Escaping still will not occur if explicitly disabled by an enclosing ViewHelper. This homogenises escaping behavior of "content arguments" so the same strategy is used whether the "content" argument is passed as argument or child content.
Explicitly defining the then and else arguments on AbstractConditionViewHelper subclasses as escaped and applying escaping in all cases where escaping is not explicitly disabled by an enclosing ViewHelper.

Affected cases

The fix for TagBasedViewHelper does not affect any valid use cases; it only prevents use of maliciously crafted attribute/value arrays passed as additionalAttributes.
Any case where a ViewHelper with a "content argument" and which defines escapeOutput = false is used with the content argument instead of passing variables as child node - e.g. <v:h content="{variable}" /> instead of <v:h>{variable}</v:h> to intentionally circumvent escaping of any HTML in {variable}.
Any case where a condition ViewHelper is used with then or else arguments to render a variable containing HTML, excluding cases where the variable is intentionally unescaped - e.g. <f:if condition="1" then="{variable -> f:format.raw()}" />, and excluding any cases where a ViewHelper is used as argument value and the ViewHelper intentionally disables escaping - e.g. <f:if condition="1" then="{f:render(section: 'MySection')}" /> does not escape the then argument because f:render disables output escaping.

Cases 2 and 3 can be mitigated to allow variables with HTML to not be escaped, by intentionally disabling escaping by chaining the variable used in the argument with f:format.raw as described in case 3. Note that this constitutes a potential security issue, for which the template author is solely responsible. Example: <f:if condition="1" then="{intentionalHtmlVariable}" /> can allow HTML in {intentionalHtmlVariable} by adding -> f:format.raw() - to become <f:if condition="1" then="{intentionalHtmlVariable -> f:format.raw()}" />.

Custom ViewHelpers which use CompileWithContentArgumentAndRenderStatic can alternatively pass a 6th argument with value false to the call to registerArgument which registers the "content argument", which explicitly disables escaping of the argument value: $this->registerArgument('arg', 'string', 'My argument', false, null, false);. Note that this constitutes a potential security issue for which the ViewHelper author is solely responsible. Variables containing HTML should only be allowed after taking great care to prevent XSS through other means, e.g. sanitising the variable before it is assigned to Fluid or only allowing such variables to come from trusted sources.

Credits

Thanks to Jonas Eberle and Sinan Sekerci (Dreamlab Technologies) who reported this issue and to TYPO3 core merger Claus Due who fixed the issue.

References

TYPO3-CORE-SA-2020-009

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3fluid/fluid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3fluid/fluid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3fluid/fluid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3fluid/fluid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3fluid/fluid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3fluid/fluid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3fluid/fluid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-17T20:30:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "\u003e ### Meta\n\u003e * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7)\n\u003e * CWE-79\n\n### Problem\n\nThree XSS vulnerabilities have been detected in Fluid:\n\n1. TagBasedViewHelper allowed XSS throug maliciously crafted `additionalAttributes` arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys.\n2. ViewHelpers which used the `CompileWithContentArgumentAndRenderStatic` trait, and which declared `escapeOutput = false`, would receive the content argument in unescaped format.\n3. Subclasses of AbstractConditionViewHelper would receive the `then` and `else` arguments in unescaped format.\n\n### Solution\nUpdate to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this `typo3fluid/fluid` package that fix the problem described.\n\nUpdated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) releases:\n\n* TYPO3 v9.5.23 (using typo3fluid/fluid v2.6.10)\n* TYPO3 v10.4.10 (using typo3fluid/fluid v2.6.10)\n\nThe specific vulnerabilities are prevented by:\n\n1. Explicitly escaping keys found in the `additionalAttributes` array passed to a TagBasedViewHelper before using them as attribute names.\n2. Detecting \"content argument\" on ViewHelpers using the trait CompileWithContentArgumentAndRenderStatic and escaping it based on the state of `escapeChildren` when `escapeOutput` is toggled off. Escaping still will not occur if explicitly disabled by an enclosing ViewHelper. This homogenises escaping behavior of \"content arguments\" so the same strategy is used whether the \"content\" argument is passed as argument or child content.\n3. Explicitly defining the `then` and `else` arguments on AbstractConditionViewHelper subclasses as escaped and applying escaping in all cases where escaping is not explicitly disabled by an enclosing ViewHelper.\n\n\n### Affected cases\n\n1. The fix for TagBasedViewHelper does not affect any valid use cases; it only prevents use of maliciously crafted attribute/value arrays passed as `additionalAttributes`.\n2. Any case where a ViewHelper with a \"content argument\" and which defines `escapeOutput = false` is used with the content argument instead of passing variables as child node - e.g. `\u003cv:h content=\"{variable}\" /\u003e` instead of `\u003cv:h\u003e{variable}\u003c/v:h\u003e` to intentionally circumvent escaping of any HTML in `{variable}`.\n3. Any case where a condition ViewHelper is used with `then` or `else` arguments to render a variable containing HTML, excluding cases where the variable is intentionally unescaped - e.g. `\u003cf:if condition=\"1\" then=\"{variable -\u003e f:format.raw()}\" /\u003e`, and excluding any cases where a ViewHelper is used as argument value and the ViewHelper intentionally disables escaping - e.g. `\u003cf:if condition=\"1\" then=\"{f:render(section: \u0027MySection\u0027)}\" /\u003e` does not escape the `then` argument because `f:render` disables output escaping.\n\nCases 2 and 3 can be mitigated to allow variables with HTML to not be escaped, by intentionally disabling escaping by chaining the variable used in the argument with `f:format.raw` as described in case 3. Note that this constitutes a potential security issue, for which the template author is solely responsible. Example: `\u003cf:if condition=\"1\" then=\"{intentionalHtmlVariable}\" /\u003e` can allow HTML in `{intentionalHtmlVariable}` by adding `-\u003e f:format.raw()` - to become `\u003cf:if condition=\"1\" then=\"{intentionalHtmlVariable -\u003e f:format.raw()}\" /\u003e`.\n\nCustom ViewHelpers which use `CompileWithContentArgumentAndRenderStatic` can alternatively pass a 6th argument with value `false` to the call to `registerArgument` which registers the \"content argument\", which explicitly disables escaping of the argument value: `$this-\u003eregisterArgument(\u0027arg\u0027, \u0027string\u0027, \u0027My argument\u0027, false, null, false);`. Note that this constitutes a potential security issue for which the ViewHelper author is solely responsible. **Variables containing HTML should only be allowed after taking great care to prevent XSS through other means, e.g. sanitising the variable before it is assigned to Fluid or only allowing such variables to come from trusted sources.**\n\n### Credits\nThanks to Jonas Eberle and Sinan Sekerci (Dreamlab Technologies) who reported this issue and to TYPO3 core merger Claus Due who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2020-009](https://typo3.org/security/advisory/typo3-core-sa-2020-009)",
  "id": "GHSA-hpjm-3ww5-6cpf",
  "modified": "2024-02-07T18:52:28Z",
  "published": "2020-11-18T21:06:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3fluid/fluid/CVE-2020-26216.yaml"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-Site Scripting through Fluid view helper arguments"
}

gsd-2020-26216

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2020-26216

Aliases

CVE-2020-26216

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-26216",
    "description": "TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.",
    "id": "GSD-2020-26216"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-26216"
      ],
      "details": "TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.",
      "id": "GSD-2020-26216",
      "modified": "2023-12-13T01:22:08.738015Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-26216",
        "STATE": "PUBLIC",
        "TITLE": "Cross-Site Scripting in TYPO3 Fluid"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Fluid",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 2.0.0, \u003c 2.0.8"
                        },
                        {
                          "version_value": "\u003e= 2.1.0, \u003c 2.1.7"
                        },
                        {
                          "version_value": "\u003e= 2.2.0, \u003c 2.2.4"
                        },
                        {
                          "version_value": "\u003e= 2.3.0, \u003c 2.3.7"
                        },
                        {
                          "version_value": "\u003e= 2.4.0, \u003c 2.4.4"
                        },
                        {
                          "version_value": "\u003e= 2.5.0, \u003c 2.5.11"
                        },
                        {
                          "version_value": "\u003e= 2.6.0, \u003c 2.6.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "TYPO3"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79 Cross-site Scripting (XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf",
            "refsource": "CONFIRM",
            "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
          },
          {
            "name": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc",
            "refsource": "MISC",
            "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
          },
          {
            "name": "https://typo3.org/security/advisory/typo3-core-sa-2020-009",
            "refsource": "MISC",
            "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-hpjm-3ww5-6cpf",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.0.8||\u003e=2.1.0,\u003c2.1.7||\u003e=2.2.0,\u003c2.2.4||\u003e=2.3.0,\u003c2.3.7||\u003e=2.4.0, \u003c2.4.4||\u003e=2.5.0,\u003c2.5.11||\u003e=2.6.0,\u003c2.6.10",
          "affected_versions": "All versions before 2.0.8, all versions starting from 2.1.0 before 2.1.7, all versions starting from 2.2.0 before 2.2.4, all versions starting from 2.3.0 before 2.3.7, all versions starting from 2.4.0 before 2.4.4, all versions starting from 2.5.0 before 2.5.11, all versions starting from 2.6.0 before 2.6.10",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2020-12-02",
          "description": "TYPO3 Fluid is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid - `TagBasedViewHelper` allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, `TagBuilder` would not escape the keys. `ViewHelpers` which used the `CompileWithContentArgumentAndRenderStatic` trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. Subclasses of `AbstractConditionViewHelper` would receive the then and else arguments in unescaped format. More details are available in the linked advisory.",
          "fixed_versions": [
            "2.0.8",
            "2.1.7",
            "2.2.4",
            "2.3.7",
            "2.4.4",
            "2.5.11",
            "2.6.10"
          ],
          "identifier": "CVE-2020-26216",
          "identifiers": [
            "CVE-2020-26216",
            "GHSA-hpjm-3ww5-6cpf"
          ],
          "not_impacted": "All versions starting from 2.0.8 before 2.1.0, all versions starting from 2.1.7 before 2.2.0, all versions starting from 2.2.4 before 2.3.0, all versions starting from 2.3.7 before 2.4.0, all versions starting from 2.4.4 before 2.5.0, all versions starting from 2.5.11 before 2.6.0, all versions starting from 2.6.10",
          "package_slug": "packagist/typo3fluid/fluid",
          "pubdate": "2020-11-17",
          "solution": "Upgrade to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11, 2.6.10 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-26216",
            "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
          ],
          "uuid": "34db5413-eb63-4b8e-b12a-3badb7f0d79d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.0.8",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.1.7",
                "versionStartIncluding": "2.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.2.4",
                "versionStartIncluding": "2.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.7",
                "versionStartIncluding": "2.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.4",
                "versionStartIncluding": "2.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.5.11",
                "versionStartIncluding": "2.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:fluid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.6.10",
                "versionStartIncluding": "2.6.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26216"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/TYPO3/Fluid/security/advisories/GHSA-hpjm-3ww5-6cpf"
            },
            {
              "name": "https://typo3.org/security/advisory/typo3-core-sa-2020-009",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-009"
            },
            {
              "name": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/TYPO3/Fluid/commit/f20db4e74cf9803c6cffca2ed2f03e1b0b89d0dc"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2020-12-02T14:03Z",
      "publishedDate": "2020-11-17T21:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-26216 (GCVE-0-2020-26216)

Vulnerability from cvelistv5

fkie_cve-2020-26216

Vulnerability from fkie_nvd

ghsa-hpjm-3ww5-6cpf

Vulnerability from github

Meta

Problem

Solution

Affected cases

Credits

References

gsd-2020-26216

Vulnerability from gsd

Tags

Sightings

Nomenclature