CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (4.4)
Problem
DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.
Solution
Update to typo3/html-sanitizer versions 1.5.3 or 2.1.4 that fix the problem described.
Credits
Thanks to Yaniv Nizry and Niels Dossche who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue.
References
Problem
DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of
typo3/html-sanitizer.Solution
Update to
typo3/html-sanitizerversions 1.5.3 or 2.1.4 that fix the problem described.Credits
Thanks to Yaniv Nizry and Niels Dossche who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue.
References
masterminds/html5