search

snowdensb / dependabot-core

🤖 The core logic behind Dependabot's update PR creation, and the public issue tracker for all things Dependabot
https://github.com/features/security
Other
0 stars 0 forks source link

typo3fluid/fluid-2.5.11: 1 vulnerabilities (highest severity is: 4.7) #1133

Open mend-for-github-com[bot] opened 4 months ago

mend-for-github-com[bot] commented 4 months ago
Vulnerable Library - typo3fluid/fluid-2.5.11

The TYPO3 Fluid template rendering engine

Library home page: https://api.github.com/repos/TYPO3/Fluid/zipball/14c371123eebd828ad0bf18884a041870d13492e

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (typo3fluid/fluid version) Remediation Possible** Reachability
CVE-2020-15241 Medium 4.7 typo3fluid/fluid-2.5.11 Direct TYPO3.CMS - 8.7.25,9.5.6;Fluid - 2.6.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-15241 ### Vulnerable Library - typo3fluid/fluid-2.5.11

The TYPO3 Fluid template rendering engine

Library home page: https://api.github.com/repos/TYPO3/Fluid/zipball/14c371123eebd828ad0bf18884a041870d13492e

Dependency Hierarchy: - :x: **typo3fluid/fluid-2.5.11** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). Mend Note: Converted from WS-2019-0141, on 2021-08-19.

Publish Date: 2020-10-08

URL: CVE-2020-15241

### CVSS 3 Score Details (4.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://typo3.org/security/advisory/typo3-core-sa-2019-013/

Release Date: 2020-10-08

Fix Resolution: TYPO3.CMS - 8.7.25,9.5.6;Fluid - 2.6.1