6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23499

GHSA ID

GHSA-hvwx-qh2h-xcfj

EPSS Score

0.07963%

CWE

CWE-79

Published

12/13/2022

Updated

1/29/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23499

CVE-2022-23499: TYPO3 HTML Sanitizer vulnerable to Cross-Site Scripting

Problem

Due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.

Besides that, the upstream package masterminds/html5 provides HTML raw text elements (script, style, noframes, noembed and iframe) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting.

Solution

Update to typo3/html-sanitizer versions 1.5.0 or 2.1.1 that fix the problem described.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23499

GHSA ID

GHSA-hvwx-qh2h-xcfj

EPSS Score

0.07963%

CWE

CWE-79

Published

12/13/2022

Updated

1/29/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/html-sanitizer	composer	>= 1.0.0, < 1.5.0	1.5.0
typo3/html-sanitizer	composer	>= 2.0.0, < 2.1.1	2.1.1
typo3/cms	composer	>= 10.0.0, < 10.4.33	10.4.33
typo3/cms	composer	>= 11.0.0, < 11.5.20	11.5.20
typo3/cms	composer	>= 12.0.0, < 12.1.1	12.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) Improper handling of CDATA sections parsed as DOMText nodes by masterminds/html5, and 2) Lack of processing for raw text elements returned as DOMText. The CommonVisitor's text node handling (visitText) was vulnerable because it didn't escape CDATA content or process raw text elements. The CommonBuilder's configuration gap (createBehavior) left these elements unregulated. The security patches explicitly modified these components to add CDATA escaping and raw text element processing, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Pro*l*m *u* to * p*rsin* issu* in t** upstr**m p**k*** [`m*st*rmin*s/*tml*`](*ttps://p**k**ist.or*/p**k***s/m*st*rmin*s/*tml*), m*li*ious m*rkup us** in * s*qu*n** wit* sp**i*l *TML ***T* s**tions **nnot ** *ilt*r** *n* s*nitiz**. T*is *llows *yp

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) Improp*r **n*lin* o* ***T* s**tions p*rs** *s `*OMT*xt` no**s *y `m*st*rmin*s/*tml*`, *n* *) L**k o* pro**ssin* *or r*w t*xt *l*m*nts r*turn** *s `*OMT*xt`. T** `*ommonVisitor`'s t*xt no** **n*lin* (`vi

6.1

Basic Information

Concerned about an active attack path?

CVE-2022-23499: TYPO3 HTML Sanitizer vulnerable to Cross-Site Scripting

Problem

Solution

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI