Search for packages
| purl | pkg:composer/typo3/html-sanitizer@2.0.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9vzf-4j4j-gyex
Aliases: CVE-2022-36020 GHSA-47m6-46mj-p235 |
TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of `typo3/html-sanitizer`. ### Solution Update to `typo3/html-sanitizer` versions 1.0.7 or 2.0.16 that fix the problem described. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue. |
Affected by 2 other vulnerabilities. |
|
VCID-bjcu-67xc-57bn
Aliases: CVE-2023-38500 GHSA-59jf-3q9v-rh6g |
By-passing Cross-Site Scripting Protection in HTML Sanitizer > ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.4) ### Problem Due to an encoding issue in the serialization layer, malicious markup nested in a `noscript` element was not encoded correctly. `noscript` is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). ### Solution Update to `typo3/html-sanitizer` versions 1.5.1 or 2.1.2 that fix the problem described. ### Credits Thanks to David Klein and Yaniv Nizry who reported this issue, and to TYPO3 security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2023-002](https://typo3.org/security/advisory/typo3-core-sa-2023-002) |
Affected by 1 other vulnerability. |
|
VCID-qw91-ryx7-fqhz
Aliases: CVE-2023-47125 GHSA-mm79-jhqm-9j54 |
Bypassing Cross-Site Scripting Protection in TYPO3 HTML Sanitizer > ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.4) ### Problem DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). ### Solution Update to `typo3/html-sanitizer` versions 1.5.3 or 2.1.4 that fix the problem described. ### Credits Thanks to Yaniv Nizry and Niels Dossche who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2023-007](https://typo3.org/security/advisory/typo3-core-sa-2023-007) * [Context & Details at `masterminds/html5`](https://github.com/Masterminds/html5-php/issues/241) |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T18:53:21.769695+00:00 | GitLab Importer | Affected by | VCID-qw91-ryx7-fqhz | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/html-sanitizer/CVE-2023-47125.yml | 37.0.0 |
| 2025-07-03T18:47:37.442762+00:00 | GitLab Importer | Affected by | VCID-bjcu-67xc-57bn | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/html-sanitizer/CVE-2023-38500.yml | 37.0.0 |
| 2025-07-03T18:30:23.232986+00:00 | GitLab Importer | Affected by | VCID-9vzf-4j4j-gyex | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/html-sanitizer/CVE-2022-36020.yml | 37.0.0 |