Security Notification

The security bug described here is actually not in Flow but in the typo3fluid/fluid package which is a dependency of Flow and Neos


Component Type: typo3fluid/fluid package
Vulnerability Type: cross-site scripting vulnerability
Severity: medium
Affected Versions: Flow from version 4.0 (meaning Neos from version 3.0)
Suggested CVSS: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C

It has been discovered that Fluid erroneously does not escape output from ternary expressions. Given the extensive use of Fluid in Flow and Neos together with the usage of Fluid in user code this should be considered a possible vulnerability in all installations.

Exploiting can only happen if you output user input through a ternary expression in Fluid and expect that user input to be escaped. See example below.

<!-- 
Given a variable "content" in Fluid containing unescaped HTML 
like such: "<script>alert('XSS');</script>"
This would be output unescaped which is unexpected:
-->

{hasContent ? content : ''}

Fixing the Issue

To fix the issue, you need to update typo3fluid/fluid to a safe version.

For all affected Flow and Neos versions patched typo3fluid/fluid versions exist and can be updated via composer.

composer update typo3fluid/fluid

Make sure you have at least one of the following versions after updating: 

  • 2.0.5
  • 2.1.4
  • 2.2.1
  • 2.3.5
  • 2.4.1
  • 2.5.5
  • 2.6.1

Getting Help

In case you are unsure about the issue, don't hesitate to contact the Neos team on Slack (#flow-general) or through the other communication channels!