Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-36020
Summary
The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This issue affects versions prior to 2.7.6 of masterminds/html5 package. Users are advised to upgrade. There are no known workarounds for this issue. NOTE: Even though the issue was identified in typo3/html-sanitizer the vulnerable package is the masterminds/html5 and that will be the one marked as vulnerable.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published