CVE-2023-47125

MEDIUM

Typo3 Html Sanitizer < 1.5.3 - XSS

Title source: rule

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (1)

nomisec WORKING POC

by nikn0laty · poc

https://github.com/nikn0laty/TYPO3-HTML-Sanitizer-XSS-CVE-2023-47125

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/TYPO3/html-sanitizer/commit/b8f90717251d968c49dc77f8c1e5912e2fbe0dff

[Vendor Advisory] https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-mm79-jhqm-9j54

[Vendor Advisory] https://typo3.org/security/advisory/typo3-core-sa-2023-007

Scores

CVSS v3 4.7

EPSS 0.0048

EPSS Percentile 65.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

typo3/html-sanitizer 1.0.0 - 1.5.3Packagist

typo3/html_sanitizer 1.0.0 - 1.5.3

typo3/typo3 11.3.2 - 11.5.33

typo3/typo3 8.7.42 - 8.7.55

Published Nov 14, 2023

Tracked Since Feb 18, 2026