GSD-2023-28604
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
The fluid_components (aka Fluid Components) extension before 3.5.0 for TYPO3 allows XSS via a component argument parameter, for certain {content} use cases that may be edge cases.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-28604",
"id": "GSD-2023-28604"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-28604"
],
"details": "The fluid_components (aka Fluid Components) extension before 3.5.0 for TYPO3 allows XSS via a component argument parameter, for certain {content} use cases that may be edge cases.",
"id": "GSD-2023-28604",
"modified": "2023-12-13T01:20:49.392229Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2023-28604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The fluid_components (aka Fluid Components) extension before 3.5.0 for TYPO3 allows XSS via a component argument parameter, for certain {content} use cases that may be edge cases."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://typo3.org/security/advisory/typo3-ext-sa-2023-003",
"refsource": "MISC",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2023-003"
},
{
"name": "https://github.com/sitegeist/fluid-components/blob/master/Documentation/XssIssue.md",
"refsource": "CONFIRM",
"url": "https://github.com/sitegeist/fluid-components/blob/master/Documentation/XssIssue.md"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c3.5.0",
"affected_versions": "All versions before 3.5.0",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-03-27",
"description": "All versions of Fluid Components before 3.5.0 were susceptible to Cross-Site Scripting. Version 3.5.0 of the extension fixes this issue. Due to the nature of the problem, some changes in your project\u0027s Fluid templates might be necessary to prevent unwanted double-escaping of HTML markup.",
"fixed_versions": [
"3.5.0"
],
"identifier": "CVE-2023-28604",
"identifiers": [
"GHSA-8648-h559-8h42",
"CVE-2023-28604"
],
"not_impacted": "All versions starting from 3.5.0",
"package_slug": "packagist/sitegeist/fluid-components",
"pubdate": "2023-03-27",
"solution": "Upgrade to version 3.5.0 or above.",
"title": "Fluid Components TYPO3 extension vulnerable to Cross-Site Scripting",
"urls": [
"https://github.com/FriendsOfPHP/security-advisories/blob/master/sitegeist/fluid-components/CVE-2023-28604.yaml",
"https://github.com/sitegeist/fluid-components/blob/master/Documentation/XssIssue.md",
"https://typo3.org/security/advisory/typo3-ext-sa-2023-003",
"https://github.com/advisories/GHSA-8648-h559-8h42"
],
"uuid": "1ca1c2f8-4190-426a-8dab-4a150f1d116a"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitegeist:fluid_components:*:*:*:*:*:typo3:*:*",
"matchCriteriaId": "1E3DA22F-1591-4CC6-8633-F8BCA7F24BBF",
"versionEndExcluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The fluid_components (aka Fluid Components) extension before 3.5.0 for TYPO3 allows XSS via a component argument parameter, for certain {content} use cases that may be edge cases."
},
{
"lang": "es",
"value": "La extensi\u00f3n fluid_components (tambi\u00e9n conocida como Fluid Components) anterior a 3.5.0 para TYPO3 permite XSS a trav\u00e9s de un par\u00e1metro de argumento de componente, para ciertos casos de uso de {content} que pueden ser casos extremos."
}
],
"id": "CVE-2023-28604",
"lastModified": "2023-12-18T14:28:09.443",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T17:15:07.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Mitigation"
],
"url": "https://github.com/sitegeist/fluid-components/blob/master/Documentation/XssIssue.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2023-003"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…