Search for vulnerabilities
Vulnerability details: VCID-dybf-xk32-pkdg
Vulnerability ID VCID-dybf-xk32-pkdg
Aliases CVE-2020-15241
GHSA-7733-hjv6-4h47
Summary Cross-Site Scripting in ternary conditional operator > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C`(5.0) > * CWE-79 --- :information_source:  This vulnerability has been fixed in May 2019 already, CVE and GHSA were assigned later in October 2020 --- ### Problem It has been discovered that the Fluid Engine (package `typo3fluid/fluid`) is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like the following. ``` {showFullName ? fullName : defaultValue} ``` ### Solution Update to versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 of this `typo3fluid/fluid` package that fix the problem described. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) releases: * TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.5) * TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1) ### Credits Thanks to Bill Dagou who reported this issue and to TYPO3 core merger Claus Due who fixed the issue. ### References * [TYPO3-CORE-SA-2019-013](https://typo3.org/security/advisory/typo3-core-sa-2019-013)
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2020-15241
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7733-hjv6-4h47
cvssv3.1 4.7 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15241.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15241.yaml
cvssv3.1 4.7 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15241.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15241.yaml
cvssv3.1 4.7 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3fluid/fluid/CVE-2020-15241.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3fluid/fluid/CVE-2020-15241.yaml
cvssv3.1 4.7 https://github.com/TYPO3/Fluid
generic_textual MODERATE https://github.com/TYPO3/Fluid
cvssv3.1 4.7 https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d
generic_textual MODERATE https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d
cvssv3.1 4.7 https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47
cvssv3.1_qr MODERATE https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47
generic_textual MODERATE https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47
cvssv3.1 4.7 https://nvd.nist.gov/vuln/detail/CVE-2020-15241
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-15241
cvssv3.1 4.7 https://typo3.org/security/advisory/typo3-core-sa-2019-013
generic_textual MODERATE https://typo3.org/security/advisory/typo3-core-sa-2019-013
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-15241
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15241.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15241.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3fluid/fluid/CVE-2020-15241.yaml
https://github.com/TYPO3/Fluid
https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d
https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47
https://nvd.nist.gov/vuln/detail/CVE-2020-15241
https://typo3.org/security/advisory/typo3-core-sa-2019-013
GHSA-7733-hjv6-4h47 https://github.com/advisories/GHSA-7733-hjv6-4h47
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-15241.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-15241.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3fluid/fluid/CVE-2020-15241.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/Fluid
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/Fluid/commit/9ef6a8ffff2e812025fc0701b4ce72eea6911a3d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TYPO3/Fluid/security/advisories/GHSA-7733-hjv6-4h47
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-15241
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://typo3.org/security/advisory/typo3-core-sa-2019-013
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.56108
EPSS Score 0.00341
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:16:14.394458+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-7733-hjv6-4h47/GHSA-7733-hjv6-4h47.json 36.1.3