By-passing Cross-Site Scripting Protection in HTML Sanitizer
CVE-2023-47125

4.7MEDIUM

Key Information:

Vendor: Typo3
Status: Html-sanitizer
Vendor: CVE Published:; 14 November 2023

What is CVE-2023-47125?

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

html-sanitizer >= 1.0.0, < 1.5.3 < 1.0.0, 1.5.3

html-sanitizer >= 2.0.0, < 2.1.4 < 2.0.0, 2.1.4

References

https://github.com/TYPO3/html-sanitizer/security/advisori...

x_refsource_CONFIRM

https://github.com/TYPO3/html-sanitizer/commit/b8f9071725...

x_refsource_MISC

https://typo3.org/security/advisory/typo3-core-sa-2023-007

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Oct 30, 2023

Typo3

What is CVE-2023-47125?

Affected Version(s)

References

CVSS V3.1

Timeline