CVE-2023-47125 MEDIUM

CVE-2023-47125: By-passing Cross-Site Scripting Protection in HTML Sanitizer

Vendor Typo3

Product html-sanitizer

Weakness CWE-79 · XSS

Published November 14, 2023

Last update August 29, 2024

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

November 14, 2023 CVE published

August 29, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-47125

Related vulnerabilities

Identifiers

CVE CVE-2023-47125

CWE CWE-79

CVSS 4.7 / MEDIUM

Affected versions

Vendor Typo3

Product html-sanitizer

Affected >= 1.0.0, < 1.5.3

Vendor Typo3

Product html-sanitizer

Affected >= 2.0.0, < 2.1.4

CVE-2023-47125: By-passing Cross-Site Scripting Protection in HTML Sanitizer

01Description

02Disclosure timeline

03References

04Related CVE