Home > Vulnerability Database > CVE-2022-36020

Mend.io Vulnerability Database

CVE-2022-36020

Good to know:

Date: September 13, 2022

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue.

Language: PHP

Severity Score

6.1

Related Resources (6)

Url: https://packagist.org/packages/masterminds/html5

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-36020

Url: https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235

Url: https://packagist.org/packages/typo3/html-sanitizer

Url: https://github.com/TYPO3/html-sanitizer/commit/60bfdc7f9b394d0236e16ee4cea8372a7defa493

Url: https://www.mend.io/vulnerability-database/CVE-2022-36020

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version v1.0.7,v2.0.16

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-36020

Good to know:

Date: September 13, 2022

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?