Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01OWpmLTNxOXYtcmg2Z84AA04l

By-passing Cross-Site Scripting Protection in HTML Sanitizer

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (4.4)

Problem

Due to an encoding issue in the serialization layer, malicious markup nested in a noscript element was not encoded correctly. noscript is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.

Solution

Update to typo3/html-sanitizer versions 1.5.1 or 2.1.2 that fix the problem described.

Credits

Thanks to David Klein and Yaniv Nizry who reported this issue, and to TYPO3 security team members Oliver Hader and Benjamin Franzke who fixed the issue.

References

Permalink: https://github.com/advisories/GHSA-59jf-3q9v-rh6g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OWpmLTNxOXYtcmg2Z84AA04l
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 6 months ago


CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-59jf-3q9v-rh6g, CVE-2023-38500
References: Repository: https://github.com/TYPO3/html-sanitizer
Blast Radius: 9.6

Affected Packages

packagist:typo3/html-sanitizer
Dependent packages: 2
Dependent repositories: 109
Downloads: 4,538,847 total
Affected Version Ranges: >= 2.0.0, < 2.1.2, >= 1.0.0, < 1.5.1
Fixed in: 2.1.2, 1.5.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.5.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.1.0, 2.1.1
All unaffected versions: 1.5.1, 1.5.2, 1.5.3, 2.1.2, 2.1.3, 2.1.4