CVE-2023-28604: 
PHP vulnerability analysis and mitigation

The fluid_components (aka Fluid Components) extension before version 3.5.0 for TYPO3 contains a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute malicious code via a component argument parameter, specifically in certain {content} use cases that may be edge cases. The vulnerability was discovered in March 2023 and assigned CVE-2023-28604 with a CVSS v3.1 base score of 6.1 (Medium) (TYPO3 Advisory, NVD).

The vulnerability exists in the component argument parameter handling where user-controlled data could be processed without proper sanitization. The issue specifically affects cases where the predefined {content} parameter is used, HTML markup is allowed in the {content} parameter through f:format.raw(), and HTML markup variables are passed to the component's {content} parameter without using proper formatting functions like f:format.raw() or f:format.html() (GitHub Doc).

If exploited, this XSS vulnerability could allow attackers to inject and execute malicious client-side scripts in the context of other users' browsers. This could lead to session theft, credential theft, or other malicious actions performed in the context of the affected user's session (TYPO3 Advisory).

The vulnerability has been fixed in version 3.5.0 of the fluid_components extension. The update introduces a new SlotViewHelper that must be used to safely render HTML markup passed to a component as an argument. Users should update to version 3.5.0 as soon as possible and use the provided CLI tool 'fluidcomponents:checkContentEscaping' to identify and fix potential escaping issues in their template files (GitHub Doc, TYPO3 Advisory).