CVE-2023-38500
CVSS 3.1 Score 6.1 of 10 (medium)
Details
Summary
CVE-2023-38500 is a vulnerability affecting the TYPO3 HTML Sanitizer, an HTML sanitizer written in PHP used to provide cross-site scripting (XSS) safe markup based on allowed tags, attributes, and values. The issue lies in the serialization layer, where malicious markup nested within a `noscript` tag was not encoded correctly. Although `noscript` is disabled by default, it may have been enabled in some custom configurations. Consequently, attackers could bypass the XSS protection mechanism of TYPO3 HTML Sanitizer. Versions 1.5.1 and 2.1.2 have been released to address this vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Typo3 Html Sanitizer
Affected Vendors
- TYPO3
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions