Lucene search
PRIOn knowledge basePRION:CVE-2023-38500HistoryJul 25, 2023 - 9:15 p.m.
Cross site scripting
2023-07-2521:15:00
PRIOn knowledge base
www.prio-n.com
5
typo3
html
sanitizer
cross site scripting
noscript
encoding
serialization
bypassing mechanism
version fix
0.001 Low
EPSS
Percentile
33.7%
TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization layer, malicious markup nested in a noscript element was not encoded correctly. noscript is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of TYPO3 HTML Sanitizer. Versions 1.5.1 and 2.1.2 fix the problem.
| CPE | Name | Operator | Version |
|---|---|---|---|
| html_sanitizer | ge | 2.0.0 | |
| html_sanitizer | lt | 2.1.2 | |
| html_sanitizer | ge | 1.0.0 | |
| html_sanitizer | lt | 1.5.1 |
Related
osv
osv
By-passing Cross-Site Scripting Protection in HTML Sanitizer
2023-07-25 18:27:16
CVE-2023-38500
2023-07-25 21:15:11
github
github
By-passing Cross-Site Scripting Protection in HTML Sanitizer
2023-07-25 18:27:16
veracode
veracode
Cross-Site Scripting (XSS)
2023-07-27 12:56:44
cvelist
cvelist
CVE-2023-38500 By-passing Cross-Site Scripting Protection in HTML Sanitizer
2023-07-25 20:59:53
ubuntucve
ubuntucve
CVE-2023-38500
2023-07-25 00:00:00
nvd
nvd
CVE-2023-38500
2023-07-25 21:15:11
cve
cve
CVE-2023-38500
2023-07-25 21:15:11
nessus
nessus
freebsd
freebsd
typo3 -- multiple vulnerabilities
2023-07-25 00:00:00