VYPR
Moderate severityNVD Advisory· Published Dec 13, 2022· Updated Apr 23, 2025

Cross-Site Scripting Protection bypass in HTML Sanitizer

CVE-2022-23499

Description

HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a parsing issue in the upstream package masterminds/html5. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (script, style, noframes, noembed and iframe) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. This issue has been fixed in versions 1.5.0 and 2.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/html-sanitizerPackagist
>= 1.0.0, < 1.5.01.5.0
typo3/html-sanitizerPackagist
>= 2.0.0, < 2.1.12.1.1
typo3/cmsPackagist
>= 10.0.0, < 10.4.3310.4.33
typo3/cmsPackagist
>= 11.0.0, < 11.5.2011.5.20
typo3/cmsPackagist
>= 12.0.0, < 12.1.112.1.1

Affected products

3

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.