cbcvebase.
CVE-2022-36020
published 2022-09-13

CVE-2022-36020: The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and…

PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.63%
45.8th percentile
The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue.

Affected

10 ranges
VendorProductVersion rangeFixed in
typo3cms>= 10.0.0 < 10.4.3210.4.32
typo3cms>= 11.0.0 < 11.5.1611.5.16
typo3cms-core>= 10.0.0 < 10.4.3210.4.32
typo3cms-core>= 11.0.0 < 11.5.1611.5.16
typo3html-sanitizer
typo3html-sanitizer
typo3html-sanitizer>= 1.0.0 < 1.0.71.0.7
typo3html-sanitizer>= 2.0.0 < 2.0.162.0.16
typo3html_sanitizer>= 1.0.0 < 1.0.71.0.7
typo3html_sanitizer>= 2.0.0 < 2.0.162.0.16
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.