Bug spawned by parsing problem in upstream package
The XSS mechanism of PHP package typo3/html-sanitizer was bypassed due to a parsing problem in upstream package masterminds/html5, whereby a “malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized”, explained a GitHub advisory published on Tuesday (September 13).
The issue has been patched in 7.6.58, 8.7.48, 9.5.37, 10.4.32, and 11.5.16 of typo3/cms-core. All prior versions on these release lines are affected.
With user interaction required the bug is classed as only moderate severity, notching a CVSS score of 6.1.
Nevertheless, even with a modest market share TYPO3 accounts for a huge number of active installations.
The TYPO3 Association, which has around 900 members, funds development via donations and membership subscriptions.
Credit for bug discovery goes to security researcher David Klein, while Oliver Hader, TYPO3 security team lead and core developer, developed the patch.