Bug spawned by parsing problem in upstream package

The maintainers of venerable open source content management system (CMS) TYPO3 have fixed a cross-site scripting (XSS) flaw with a raft of software updates.

The XSS mechanism of PHP package typo3/html-sanitizer was bypassed due to a parsing problem in upstream package masterminds/html5, whereby a “malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized”, explained a GitHub advisory published on Tuesday (September 13).

The issue has been patched in 7.6.58, 8.7.48, 9.5.37, 10.4.32, and 11.5.16 of typo3/cms-core. All prior versions on these release lines are affected.


DON’T MISS WordPress project WPHash harvests 75 million hashes for detecting vulnerable plugins


With user interaction required the bug is classed as only moderate severity, notching a CVSS score of 6.1.

Nevertheless, even with a modest market share TYPO3 accounts for a huge number of active installations.

Launched in 1997, the free-to-use CMS has 2.43% of the CMS market, which translates to more than 230,000 customers, 46% of which are based in Germany.

The TYPO3 Association, which has around 900 members, funds development via donations and membership subscriptions.

Credit for bug discovery goes to security researcher David Klein, while Oliver Hader, TYPO3 security team lead and core developer, developed the patch.


RECOMMENDED Six-year-old blind SSRF vulnerability in WordPress Core feature could enable DDoS attacks