In a recent software update, the maintainers of the open-source content management system TYPO3 fixed an XSS flaw.
Due to a parsing issue in the upstream package masterminds/html5, the XSS protection mechanism of PHP package typo3/Html-sanitizer was bypassed, resulting in a “malicious markup sequence with special HTML comments” not being filtered and sanitized, according to a GitHub advisory published on Tuesday.).
This issue has been fixed in typo3/cms-core versions 7.6.58, 8.7.48, 9.5.37, 10.4.32, and 11.5.16. This issue affects all previous versions of these release lines.
As the bug requires user interaction, it is classified as moderate severity, notching a CVSS score of 6.1. However, the number of active installations of TYPO3 is vast, despite its modest market share.
This free-to-use content management system has 2.43% of the CMS market, which translates to over 230,000 customers, 46% of whom are based in Germany.
Donations and membership subscriptions are the primary funding sources for the TYPO3 Association, which has around 900 members.
The bug was discovered by security researcher David Klein, while the patch was developed by Oliver Hader, the security team lead and core developer for TYPO3.