Search for packages
| purl | pkg:composer/typo3/cms-core@9.5.36 |
| Tags | Ghost |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-gjpz-dm25-wbej
Aliases: GHSA-gqqf-g5r7-84vf |
TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://github.com/TYPO3/html-sanitizer). ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-011](https://typo3.org/security/advisory/typo3-core-sa-2022-011) * [GHSA-47m6-46mj-p235](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235) |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-01T14:33:27.486957+00:00 | GHSA Importer | Affected by | VCID-gjpz-dm25-wbej | https://github.com/advisories/GHSA-gqqf-g5r7-84vf | 36.1.3 |