CVE-2022-36020

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue.
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:*
cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:*

Information

Published : 2022-09-13 10:15

Updated : 2022-09-15 19:36


NVD link : CVE-2022-36020

Mitre link : CVE-2022-36020


JSON object : View

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

dedicated server usa

Products Affected

typo3

  • html_sanitizer