By-passing Cross-Site Scripting Protection in HTML Sanitizer
CVE-2023-38500

4.7MEDIUM

Key Information:

Vendor: Typo3
Status: Html-sanitizer
Vendor: CVE Published:; 25 July 2023

What is CVE-2023-38500?

TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization layer, malicious markup nested in a noscript element was not encoded correctly. noscript is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of TYPO3 HTML Sanitizer. Versions 1.5.1 and 2.1.2 fix the problem.

Affected Version(s)

html-sanitizer >= 1.0.0, < 1.5.1 < 1.0.0, 1.5.1

html-sanitizer >= 2.0.0, < 2.1.2 < 2.0.0, 2.1.2

References

https://github.com/TYPO3/html-sanitizer/security/advisori...

x_refsource_CONFIRM

https://github.com/TYPO3/html-sanitizer/commit/e3026f589f...

x_refsource_MISC

https://typo3.org/security/advisory/typo3-core-sa-2023-002

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 25, 2023
Vulnerability Reserved
Jul 18, 2023

Typo3

What is CVE-2023-38500?

Affected Version(s)

References

CVSS V3.1

Timeline