Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NjQ4LWg1NTktOGg0Ms4AAyWy
Fluid Components TYPO3 extension vulnerable to Cross-Site Scripting
All versions of Fluid Components before 3.5.0 were susceptible to Cross-Site Scripting. Version 3.5.0 of the extension fixes this issue. Due to the nature of the problem, some changes in your project's Fluid templates might be necessary to prevent unwanted double-escaping of HTML markup.
Permalink: https://github.com/advisories/GHSA-8648-h559-8h42JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NjQ4LWg1NTktOGg0Ms4AAyWy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 5 months ago
Identifiers: GHSA-8648-h559-8h42, CVE-2023-28604
References:
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sitegeist/fluid-components/CVE-2023-28604.yaml
- https://github.com/sitegeist/fluid-components/blob/master/Documentation/XssIssue.md
- https://typo3.org/security/advisory/typo3-ext-sa-2023-003
- https://nvd.nist.gov/vuln/detail/CVE-2023-28604
- https://github.com/advisories/GHSA-8648-h559-8h42
Blast Radius: 0.0
Affected Packages
packagist:sitegeist/fluid-components
Dependent packages: 1Dependent repositories: 3
Downloads: 189,223 total
Affected Version Ranges: < 3.5.0
Fixed in: 3.5.0
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3
All unaffected versions: 3.5.0, 3.5.1, 3.6.0, 3.7.0