VulnerableCode Package Details - pkg:composer/typo3/cms-core@7.6.57

Search for packages

Vulnerability	Summary	Fixed by
VCID-gjpz-dm25-wbej Aliases: GHSA-gqqf-g5r7-84vf	TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://github.com/TYPO3/html-sanitizer). ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-011](https://typo3.org/security/advisory/typo3-core-sa-2022-011) * [GHSA-47m6-46mj-p235](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235)	7.6.58 Affected by 0 other vulnerabilities. 8.7.48 Affected by 0 other vulnerabilities. 9.5.37 Affected by 0 other vulnerabilities. 10.4.32 Affected by 17 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.5.16 Affected by 17 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-gjpz-dm25-wbej
Aliases:
GHSA-gqqf-g5r7-84vf

TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://github.com/TYPO3/html-sanitizer). ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-011](https://typo3.org/security/advisory/typo3-core-sa-2022-011) * [GHSA-47m6-46mj-p235](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235)

7.6.58
Affected by 0 other vulnerabilities.

8.7.48
Affected by 0 other vulnerabilities.

9.5.37
Affected by 0 other vulnerabilities.

10.4.32
Affected by 17 other vulnerabilities.

11.5.16
Affected by 17 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T14:33:27.457464+00:00	GHSA Importer	Affected by	VCID-gjpz-dm25-wbej	https://github.com/advisories/GHSA-gqqf-g5r7-84vf	36.1.3
2025-07-01T14:33:08.532339+00:00	GHSA Importer	Fixing	VCID-q2ch-qd6x-vqeu	https://github.com/advisories/GHSA-fh99-4pgr-8j99	36.1.3
2025-07-01T14:33:08.319202+00:00	GHSA Importer	Fixing	VCID-xxf2-6qn3-x7f8	https://github.com/advisories/GHSA-8gmv-9hwg-w89g	36.1.3
2025-07-01T12:25:44.379195+00:00	GithubOSV Importer	Fixing	VCID-q2ch-qd6x-vqeu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-fh99-4pgr-8j99/GHSA-fh99-4pgr-8j99.json	36.1.3
2025-07-01T12:25:37.173563+00:00	GithubOSV Importer	Fixing	VCID-xxf2-6qn3-x7f8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-8gmv-9hwg-w89g/GHSA-8gmv-9hwg-w89g.json	36.1.3