CVE-2010-4183: HTML Purifier cross-site scripting (XSS) vulnerability
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.49563%
CWE
Published
5/13/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ezyang/htmlpurifier | composer | < 4.1.0 | 4.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper sanitization of CSS properties (background, background-image, font-family) in IE contexts. HTML Purifier uses dedicated validator classes for each CSS property. The validators for these specific properties in versions <4.1.0 lacked proper handling of IE-specific attack vectors like 'expression()' or malformed URIs. The functions directly responsible for validating these properties (in Background.php
and FontFamily.php
) would be the injection points, as confirmed by the vulnerability's context and HTML Purifier's architecture.