Search for packages
| purl | pkg:composer/typo3/cms-core@7.6.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-f963-qur3-2qb7
Aliases: CVE-2020-26227 GHSA-vqqx-jw6p-q3rf |
Cross-Site Scripting in Fluid view helpers > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) > * CWE-79 ### Problem It has been discovered that system extension Fluid (`typo3/cms-fluid`) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. ``` <f:form ... fieldNamePrefix="{payload}" /> <f:be.labels.csh ... label="{payload}" /> <f:be.menus.actionMenu ... label="{payload}" /> ``` ### Solution Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 security team members Helmut Hummel & Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2020-010](https://typo3.org/security/advisory/typo3-core-sa-2020-010) |
Affected by 0 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 46 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-02T12:37:41.421807+00:00 | GitLab Importer | Affected by | VCID-f963-qur3-2qb7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/CVE-2020-26227.yml | 38.0.0 |