CVE-2022-23499 MEDIUM

CVE-2022-23499: Cross-Site Scripting Protection bypass in HTML Sanitizer

Vendor Typo3
Product html-sanitizer
Weakness CWE-79 · XSS
Published December 13, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a parsing issue in the upstream package masterminds/html5. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. This issue has been fixed in versions 1.5.0 and 2.1.1.

Key dates

02Disclosure timeline

December 13, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31891 WordPress Gosign – Posts Slider Block plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability CVE-2021-42357 DOM based XSS Vulnerability in Apache Knox CVE-2025-46734 league/commonmark Cross-site Scripting vulnerability in Attributes extension CVE-2022-0533 Ditty (formerly Ditty News Ticker) < 3.0.15 - Reflected Cross-Site Scripting (XSS) CVE-2025-26954 WordPress ZooEffect plugin <= 1.11 - Reflected Cross Site Scripting (XSS) vulnerability