GMS-2022-4096: TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

September 15, 2022

Due to a parsing issue in upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of typo3/html-sanitizer.

References

github.com/TYPO3/typo3/commit/d4f260570abd934fcf3819370a135bef33d729b7
github.com/TYPO3/typo3/security/advisories/GHSA-gqqf-g5r7-84vf
github.com/advisories/GHSA-gqqf-g5r7-84vf

Detect and mitigate GMS-2022-4096 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →