- Release Date: March 22, 2023
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "Fluid Components" (fluid_components)
- Composer Package Name: sitegeist/fluid-components
- Vulnerability Type: Cross-Site Scripting
- Affected Versions: 3.4.3 and below
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
- References: CVE-2023-28604, CWE-79
Problem Description
The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation.
Solution
Updated versions 3.5.0 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/fluid_components/3.5.0/zip
Users of the extension are advised to update the extension as soon as possible.
Breaking change - Manual actions required
The fixed version of the extension introduces the new SlotViewHelper, which must be used to safely render HTML markup that was passed to a component as an argument. Please refer to the extension documentation for further details.
The fixed version of the extension comes with the new symfony console command fluidcomponents:checkContentEscaping, which checks for possible escaping issues with content parameter due to new children escaping behavior. Please make sure to check your project’s template files with this console command to prevent unwanted escaping of HTML markup.
Credits
Thanks to Helmut Hummel for reporting the vulnerability and to Simon Praetorius for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.