CVE-2023-47125— By-passing Cross-Site Scripting Protection in HTML Sanitizer

CVSS 4.7 · Medium EPSS 0.56% · P68 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-47125

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

By-passing Cross-Site Scripting Protection in HTML Sanitizer

Source: NVD (National Vulnerability Database)

Vulnerability Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

TYPO3 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

TYPO3是瑞士TYPO3协会的一套免费开源的内容管理系统(框架)(CMS/CMF)。 TYPO3存在安全漏洞，该漏洞源于DOM处理指令无法正确处理，允许绕过typo3/html-sanitizer的跨站脚本机制。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
TYPO3	html-sanitizer	>= 1.0.0, < 1.5.3	-

II. Public POCs for CVE-2023-47125

#	POC Description	Source Link	Shenlong Link
1	Stored XSS (exploit) in TYPO3 HTML Sanitizer (CVE-2023-47125). DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer.	https://github.com/nikn0laty/TYPO3-HTML-Sanitizer-XSS-CVE-2023-47125	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-47125

请登录查看更多情报信息。

https://typo3.org/security/advisory/typo3-core-sa-2023-007x_refsource_MISC
https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-mm79-jhqm-9j54x_refsource_CONFIRM
https://github.com/TYPO3/html-sanitizer/commit/b8f90717251d968c49dc77f8c1e5912e2fbe0dffx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-47125

Same Patch Batch · TYPO3 · 2023-11-14 · 3 CVEs total

CVE-2023-47127	4.2 MEDIUM	Weak Authentication in Session Handling in typo3/cms-core
CVE-2023-47126	3.7 LOW	Information Disclosure in Install Tool in typo3/cms-install

IV. Related Vulnerabilities

Same product: html-sanitizer

Same vendor: TYPO3

Same weakness: CWE-79

V. Comments for CVE-2023-47125

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-47125— By-passing Cross-Site Scripting Protection in HTML Sanitizer

I. Basic Information for CVE-2023-47125

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-47125

III. Intelligence Information for CVE-2023-47125

Same Patch Batch · TYPO3 · 2023-11-14 · 3 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-47125

Leave a comment