- Release Date: March 22, 2023
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "Fluid Components" (fluid_components)
- Composer Package Name: sitegeist/fluid-components
- Vulnerability Type: Cross-Site Scripting
- Affected Versions: 3.4.3 and below
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
- References: CVE-2023-28604, CWE-79
The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation.
Updated versions 3.5.0 are available from the TYPO3 extension manager, packagist and at
Users of the extension are advised to update the extension as soon as possible.
Breaking change - Manual actions required
The fixed version of the extension introduces the new SlotViewHelper, which must be used to safely render HTML markup that was passed to a component as an argument. Please refer to the extension documentation for further details.
The fixed version of the extension comes with the new symfony console command fluidcomponents:checkContentEscaping, which checks for possible escaping issues with content parameter due to new children escaping behavior. Please make sure to check your project’s template files with this console command to prevent unwanted escaping of HTML markup.
Thanks to Helmut Hummel for reporting the vulnerability and to Simon Praetorius for providing updated versions of the extension.
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.