SCA: security update for typo3fluid/fluid (GHSA-hpjm-3ww5-6cpf)

medium Tenable Self-Hosted Container Security Plugin ID 415867

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-
Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS
through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes
followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers
which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false,
would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would
receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7,
2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are
available in the linked advisory. (CVE-2020-26216)

See Also

https://github.com/advisories/GHSA-hpjm-3ww5-6cpf

Plugin Details

Severity: Medium

ID: 415867

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-26216

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/18/2020

Vulnerability Publication Date: 11/17/2020

Reference Information

CVE: CVE-2020-26216

cwe: CWE-79