Html Sanitizer
Monthly
HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.
XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.
XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.