TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).
Mend Note: Converted from WS-2019-0141, on 2021-08-19.
Vulnerable Library - typo3fluid/fluid-2.5.11
The TYPO3 Fluid template rendering engine
Library home page: https://api.github.com/repos/TYPO3/Fluid/zipball/14c371123eebd828ad0bf18884a041870d13492e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-15241
### Vulnerable Library - typo3fluid/fluid-2.5.11The TYPO3 Fluid template rendering engine
Library home page: https://api.github.com/repos/TYPO3/Fluid/zipball/14c371123eebd828ad0bf18884a041870d13492e
Dependency Hierarchy: - :x: **typo3fluid/fluid-2.5.11** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsTYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). Mend Note: Converted from WS-2019-0141, on 2021-08-19.
Publish Date: 2020-10-08
URL: CVE-2020-15241
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://typo3.org/security/advisory/typo3-core-sa-2019-013/
Release Date: 2020-10-08
Fix Resolution: TYPO3.CMS - 8.7.25,9.5.6;Fluid - 2.6.1