CVE-2020-26227 MEDIUM

CVE-2020-26227: Cross-Site Scripting in Fluid view helpers

Vendor Typo3
Product TYPO3.CMS
Weakness CWE-79 · XSS
Published November 23, 2020
Last update August 4, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.

Key dates

02Disclosure timeline

November 23, 2020 CVE published
August 4, 2024 Record updated