CVE-2023-47125Cross-site Scripting in Html Sanitizer

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
CNA4.7
EPSS
0.5%
top 34.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Typo3 Html SanitizerTypo3Typo3 Html-sanitizer
Timeline
PublishedNov 14

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

NVDtypo3/html_sanitizer1.0.01.5.3+1
Packagisttypo3/html-sanitizer1.0.01.5.3+1
CVEListV5typo3/html-sanitizer>= 1.0.0, < 1.5.3, >= 2.0.0, < 2.1.4+1
NVDtypo3/typo38.7.428.7.55+4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Bypassing Cross-Site Scripting Protection in TYPO3 HTML Sanitizer2023-11-14
OSV
Bypassing Cross-Site Scripting Protection in TYPO3 HTML Sanitizer2023-11-14
CVEList
By-passing Cross-Site Scripting Protection in HTML Sanitizer2023-11-14
CVE-2023-47125 — Cross-site Scripting in Html Sanitizer | cvebase