CVE-2022-36020
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-36020
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36020.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-36020
- Aliases
- Published
- 2022-09-13T16:55:10Z
- Modified
- 2025-11-14T13:30:12.766097Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Bypass of Cross-Site Scripting Protection in typo3/html-sanitizer
- Details
-
The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package
masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism oftypo3/html-sanitizer. This issue has been addressed in versions 1.0.7 and 2.0.16 of thetypo3/html-sanitizerpackage. Users are advised to upgrade. There are no known workarounds for this issue. - Database specific
{ "cwe_ids": [ "CWE-79" ] }- References