- Component Type: TYPO3 CMS
- Subcomponent: HTML Sanitizer (based on typo3/html-sanitizer)
- Release Date: December 13, 2022
- Vulnerability Type: Cross-Site Scripting
- Affected Versions: 8.0.0-8.7.48, 9.0.0-9.5.37, 10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
- References: CVE-2022-23499, CWE-79
Problem Description
Due to a parsing issue in the upstream package masterminds/html5, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.
Besides that, the upstream package masterminds/html5 provides HTML raw text elements (script, style, noframes, noembed and iframe) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting.
Solution
Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.
Credits
Thanks to David Klein who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.