CVE-2022-36020

Description

> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of `typo3/html-sanitizer`. ### Solution Update to `typo3/html-sanitizer` versions 1.0.7 or 2.0.16 that fix the problem described. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue.

How to fix CVE-2022-36020

To remediate CVE-2022-36020, upgrade the affected package to a fixed version below.

• —upgrade to 10.4.32 or later
• —upgrade to 10.4.32 or later
• —upgrade to 1.0.7 or later

Is CVE-2022-36020 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 10.0.0, < 10.4.32
• >= 10.0.0, < 10.4.32
• >= 1.0.0, < 1.0.7

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-36020
• PATCHgithub.com/TYPO3/html-sanitizer
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36020.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36020.yaml