CVE-2022-36020

MEDIUM6.1Cross-site scripting

Description

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

TYPO3 / HTML Sanitizer>= 1.0.0, < 1.0.7 – >= 1.0.0, < 1.0.7
TYPO3 / HTML Sanitizer>= 2.0.0, < 2.0.16 – >= 2.0.0, < 2.0.16

References

VENDOR_ADVISORYhttps://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235
PATCHhttps://github.com/TYPO3/html-sanitizer/commit/60bfdc7f9b394d0236e16ee4cea8372a7defa493
MISChttps://packagist.org/packages/masterminds/html5
MISChttps://packagist.org/packages/typo3/html-sanitizer