6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36020

GHSA ID

GHSA-47m6-46mj-p235

EPSS Score

0.30047%

CWE

CWE-79

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36020

CVE-2022-36020:
TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

Meta

CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (5.7)

Problem

Due to a parsing issue in upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of typo3/html-sanitizer.

Solution

Update to typo3/html-sanitizer versions 1.0.7 or 2.0.16 that fix the problem described.

Credits

Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36020

GHSA ID

GHSA-47m6-46mj-p235

EPSS Score

0.30047%

CWE

CWE-79

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/html-sanitizer	composer	>= 1.0.0, < 1.0.7	1.0.7
typo3/html-sanitizer	composer	>= 2.0.0, < 2.0.16	2.0.16
typo3/cms-core	composer	>= 10.0.0, < 10.4.32	10.4.32
typo3/cms-core	composer	>= 11.0.0, < 11.5.16	11.5.16
typo3/cms	composer	>= 10.0.0, < 10.4.32	10.4.32
typo3/cms	composer	>= 11.0.0, < 11.5.16	11.5.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a parsing issue in the upstream package masterminds/html5, which the TYPO3 HTML sanitizer (typo3/html-sanitizer) depends on. The TYPO3 packages themselves do not contain the vulnerable parsing logic but rely on the outdated masterminds/html5 library. The vulnerability occurs because the parser fails to correctly handle HTML comments followed by malicious markup, allowing XSS bypass. The fix involved updating the dependency to a patched version of masterminds/html5, indicating the root cause was in the third-party library. No specific functions within the TYPO3 packages (e.g., typo3/html-sanitizer) were identified as directly vulnerable with high confidence; the issue arises from the integration of the vulnerable external parser.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

> ### M*t* > * *VSS: `*VSS:*.*/*V:N/**:L/PR:N/UI:R/S:*/*:L/I:L/*:N/*:*/RL:O/R*:*` (*.*) ### Pro*l*m *u* to * p*rsin* issu* in upstr**m p**k*** [`m*st*rmin*s/*tml*`](*ttps://p**k**ist.or*/p**k***s/m*st*rmin*s/*tml*), m*li*ious m*rkup us** in * s*qu*n

Reasoning

T** vuln*r**ility st*ms *rom * p*rsin* issu* in t** upstr**m p**k*** `m*st*rmin*s/*tml*`, w*i** t** TYPO* *TML s*nitiz*r (`typo*/*tml-s*nitiz*r`) **p*n*s on. T** TYPO* p**k***s t**ms*lv*s *o not *ont*in t** vuln*r**l* p*rsin* lo*i* *ut r*ly on t** ou

6.1

Basic Information

Concerned about an active attack path?

CVE-2022-36020: TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

Meta

Problem

Solution

Credits

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-36020:
TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

Vulnerability Intelligence
Miggo AI