CVE-2022-23499: Cross-Site Scripting Protection bypass in HTML Sanitizer
First published: Tue Dec 13 2022(Updated: )
HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a parsing issue in the upstream package masterminds/html5. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. This issue has been fixed in versions 1.5.0 and 2.1.1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/typo3/cms-core | >=10.0.0<10.4.33>=11.0.0<11.5.20>=12.0.0<12.1.1 | |
| composer/typo3/cms | >=10.0.0<10.4.33>=11.0.0<11.5.20>=12.0.0<12.1.1 | |
| TYPO3 HTML Sanitizer | >=1.0.0<=1.0.7 | |
| TYPO3 HTML Sanitizer | >=2.0.0<2.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-23499?
CVE-2022-23499 is a vulnerability that allows bypassing cross-site scripting (XSS) protection in the TYPO3 HTML Sanitizer.
How does CVE-2022-23499 impact TYPO3 CMS?
CVE-2022-23499 impacts TYPO3 CMS versions 10.0.0 to 10.4.33, 11.0.0 to 11.5.20, and 12.0.0 to 12.1.1 when using the HTML Sanitizer component.
What is the severity of CVE-2022-23499?
The severity of CVE-2022-23499 is medium with a CVSS score of 6.1.
How can I fix CVE-2022-23499 in TYPO3 CMS?
To fix CVE-2022-23499 in TYPO3 CMS, upgrade to version 10.4.34 or higher for TYPO3 CMS 10.x, upgrade to version 11.5.21 or higher for TYPO3 CMS 11.x, and upgrade to version 12.1.2 or higher for TYPO3 CMS 12.x.
Where can I find more information about CVE-2022-23499?
You can find more information about CVE-2022-23499 in the TYPO3 security advisory TYPO3-CORE-SA-2022-017.
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/title
- agent/tags
- agent/description
- agent/event
- package-manager/composer
- vendor/typo3
- canonical/typo3 html sanitizer
- version/typo3 html sanitizer/1.0.0
- version/typo3 html sanitizer/1.0.7
- version/typo3 html sanitizer/2.0.0