CWE
79
Advisory Published
Updated

GHSA-mm79-jhqm-9j54: XSS

First published: Tue Nov 14 2023(Updated: )

> ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.4) ### Problem DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). ### Solution Update to `typo3/html-sanitizer` versions 1.5.3 or 2.1.4 that fix the problem described. ### Credits Thanks to Yaniv Nizry and Niels Dossche who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2023-007](https://typo3.org/security/advisory/typo3-core-sa-2023-007) * [Context & Details at `masterminds/html5`](https://github.com/Masterminds/html5-php/issues/241)

Affected SoftwareAffected VersionHow to fix
composer/typo3/html-sanitizer>=2.0.0<=2.1.3
2.1.4
composer/typo3/html-sanitizer>=1.0.0<=1.5.2
1.5.3

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of GHSA-mm79-jhqm-9j54?

    The severity of GHSA-mm79-jhqm-9j54 is medium.

  • What is the problem with GHSA-mm79-jhqm-9j54?

    The problem with GHSA-mm79-jhqm-9j54 is that DOM processing instructions are not handled correctly, allowing bypassing the cross-site scripting mechanism of typo3/html-sanitizer.

  • How can I fix GHSA-mm79-jhqm-9j54?

    To fix GHSA-mm79-jhqm-9j54, update the typo3/html-sanitizer package to version 2.1.4 or version 1.5.3 or later.

  • What is the CVSS score of GHSA-mm79-jhqm-9j54?

    The CVSS score of GHSA-mm79-jhqm-9j54 is 4.4.

  • What is the CWE ID of GHSA-mm79-jhqm-9j54?

    The CWE ID of GHSA-mm79-jhqm-9j54 is 79.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203