CVE-2022-36020

Bypass of Cross-Site Scripting Protection in typo3/html-sanitizer

Description

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue.

References

Link	Tags
https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235	third party advisory
https://github.com/TYPO3/html-sanitizer/commit/60bfdc7f9b394d0236e16ee4cea8372a7defa493	third party advisory patch
https://packagist.org/packages/masterminds/html5	third party advisory
https://packagist.org/packages/typo3/html-sanitizer	third party advisory product

Frequently Asked Questions

What is the severity of CVE-2022-36020?: CVE-2022-36020 has been scored as a medium severity vulnerability.
How to fix CVE-2022-36020?: To fix CVE-2022-36020, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-36020 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-36020 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-36020?: CVE-2022-36020 affects TYPO3 html-sanitizer.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions