Vulnerability Name:

CVE-2022-36020 (CCN-236052)

Assigned:2022-09-13
Published:2022-09-13
Updated:2022-09-16
Summary:The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2022-36020

Source: XF
Type: UNKNOWN
typo3-cve202236020-xss(236052)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/TYPO3/html-sanitizer/commit/60bfdc7f9b394d0236e16ee4cea8372a7defa493

Source: CONFIRM
Type: Third Party Advisory
https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235

Source: MISC
Type: Third Party Advisory
https://packagist.org/packages/masterminds/html5

Source: MISC
Type: Product, Third Party Advisory
https://packagist.org/packages/typo3/html-sanitizer

Source: CCN
Type: TYPO3-CORE-SA-2022-011
By-passing Cross-Site Scripting Protection in HTML Sanitizer

Vulnerable Configuration:Configuration 1:
  • cpe:/a:typo3:html_sanitizer:*:*:*:*:*:*:*:* (Version >= 2.0.0 and < 2.0.16)
  • OR cpe:/a:typo3:html_sanitizer:*:*:*:*:*:*:*:* (Version >= 1.0.0 and < 1.0.7)

    • Configuration CCN 1:
  • cpe:/a:typo3:typo3:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:9.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:typo3:typo3:11.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    typo3 html sanitizer *
    typo3 html sanitizer *
    typo3 typo3 7.0.0
    typo3 typo3 8.0.0
    typo3 typo3 9.0.0
    typo3 typo3 10.0.0
    typo3 typo3 11.0.0