CVE-2023-28604 – sitegeist/fluid-components

Package

Manager: composer
Name: sitegeist/fluid-components
Vulnerable Version: >=0 <3.5.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00781 pctl0.72826

Details

Fluid Components TYPO3 extension vulnerable to Cross-Site Scripting All versions of Fluid Components before 3.5.0 were susceptible to Cross-Site Scripting. Version 3.5.0 of the extension fixes this issue. Due to the nature of the problem, some changes in your project's Fluid templates might be necessary to prevent unwanted double-escaping of HTML markup.

Metadata

Created: 2023-03-27T21:48:40Z
Modified: 2024-10-29T14:38:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8648-h559-8h42/GHSA-8648-h559-8h42.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8648-h559-8h42
Finding: F008
Auto approve: 1