First published: Tue Nov 14 2023(Updated: )
> ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.4) ### Problem DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). ### Solution Update to `typo3/html-sanitizer` versions 1.5.3 or 2.1.4 that fix the problem described. ### Credits Thanks to Yaniv Nizry and Niels Dossche who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2023-007](https://typo3.org/security/advisory/typo3-core-sa-2023-007) * [Context & Details at `masterminds/html5`](https://github.com/Masterminds/html5-php/issues/241)
Affected Software | Affected Version | How to fix |
---|---|---|
composer/typo3/html-sanitizer | >=2.0.0<=2.1.3 | 2.1.4 |
composer/typo3/html-sanitizer | >=1.0.0<=1.5.2 | 1.5.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of GHSA-mm79-jhqm-9j54 is medium.
The problem with GHSA-mm79-jhqm-9j54 is that DOM processing instructions are not handled correctly, allowing bypassing the cross-site scripting mechanism of typo3/html-sanitizer.
To fix GHSA-mm79-jhqm-9j54, update the typo3/html-sanitizer package to version 2.1.4 or version 1.5.3 or later.
The CVSS score of GHSA-mm79-jhqm-9j54 is 4.4.
The CWE ID of GHSA-mm79-jhqm-9j54 is 79.