Skip to main content

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2022-36020

Severity Medium
Score 6.1/10

Summary

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This issue affects versions prior to 2.7.6 of masterminds/html5 package. Users are advised to upgrade. There are no known workarounds for this issue. NOTE: Even though the issue was identified in typo3/html-sanitizer the vulnerable package is the masterminds/html5 and that will be the one marked as vulnerable.

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • NONE
  • LOW
  • NONE

CWE-79 - Cross Site Scripting

Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.

Advisory Timeline

  • Published