TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

> ### Meta > * CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (5.7)

Problem

Due to a parsing issue in upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of typo3/html-sanitizer.

Solution

Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.

Credits

Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue.

References

Published: Sep 15, 2022
Updated: Apr 14, 2023
GHSA: GHSA-gqqf-g5r7-84vf
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
typo3 / cms-core	7.0.0	7.6.58
typo3 / cms-core	8.0.0	8.7.48
typo3 / cms-core	9.0.0	9.5.37
typo3 / cms-core	10.0.0	10.4.32
typo3 / cms-core	11.0.0	11.5.16

Vulnerability Database

290,020

TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

Problem

Solution

Credits

References