Bypass of Cross-Site Scripting Protection in typo3/html-sanitizer
CVE-2022-36020

6.1MEDIUM

Key Information:

Vendor

Typo3

Status
Html-sanitizer
Vendor
CVE Published:
13 September 2022

What is CVE-2022-36020?

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of typo3/html-sanitizer. This issue has been addressed in versions 1.0.7 and 2.0.16 of the typo3/html-sanitizer package. Users are advised to upgrade. There are no known workarounds for this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

html-sanitizer >= 1.0.0, < 1.0.7 < 1.0.0, 1.0.7

html-sanitizer >= 2.0.0, < 2.0.16 < 2.0.0, 2.0.16

References

https://github.com/TYPO3/html-sanitizer/security/advisori...
x_refsource_CONFIRM
https://github.com/TYPO3/html-sanitizer/commit/60bfdc7f9b...
x_refsource_MISC
https://packagist.org/packages/masterminds/html5
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.