Cross-Site Scripting in TYPO3 Fluid

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

TYPO3 跨站脚本漏洞

TYPO3是瑞士TYPO3协会的一套免费开源的内容管理系统(框架)(CMS/CMF)。 TYPO3 Fluid 存在跨站脚本漏洞，该漏洞源于TagBasedViewHelper允许XSS通过恶意创建的additionalAttributes数组，方法是创建带有属性结束引号和HTML的键。在呈现这些属性时，TagBuilder不会转义；使用CompileWithContentArgumentAndRenderStatic trait并声明escapeOutput = false的ViewHelpers将收到

N/A

N/A