Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01OWpmLTNxOXYtcmg2Z84AA04l
By-passing Cross-Site Scripting Protection in HTML Sanitizer
CVSS:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
(4.4)
Problem
Due to an encoding issue in the serialization layer, malicious markup nested in a noscript
element was not encoded correctly. noscript
is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer
.
Solution
Update to typo3/html-sanitizer
versions 1.5.1 or 2.1.2 that fix the problem described.
Credits
Thanks to David Klein and Yaniv Nizry who reported this issue, and to TYPO3 security team members Oliver Hader and Benjamin Franzke who fixed the issue.
References Permalink: https://github.com/advisories/GHSA-59jf-3q9v-rh6g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OWpmLTNxOXYtcmg2Z84AA04l
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-59jf-3q9v-rh6g, CVE-2023-38500
References:
- https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-59jf-3q9v-rh6g
- https://nvd.nist.gov/vuln/detail/CVE-2023-38500
- https://github.com/TYPO3/html-sanitizer/commit/e3026f589fef0be8c3574ee3f0a0bfbe33d7ebdb
- https://typo3.org/security/advisory/typo3-core-sa-2023-002
- https://github.com/advisories/GHSA-59jf-3q9v-rh6g
Blast Radius: 9.6
Affected Packages
packagist:typo3/html-sanitizer
Dependent packages: 2Dependent repositories: 109
Downloads: 4,538,847 total
Affected Version Ranges: >= 2.0.0, < 2.1.2, >= 1.0.0, < 1.5.1
Fixed in: 2.1.2, 1.5.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.5.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.1.0, 2.1.1
All unaffected versions: 1.5.1, 1.5.2, 1.5.3, 2.1.2, 2.1.3, 2.1.4