CVE-2023-38500

Name of the Vulnerable Software and Affected Versions TYPO3 HTML Sanitizer versions 1.0.0 through 1.5.1 TYPO3 HTML Sanitizer versions 1.0.0 through 2.1.2

Description The issue arises from an encoding problem in the serialization layer of TYPO3 HTML Sanitizer, allowing malicious markup nested in a noscript element to bypass the cross-site scripting mechanism. The noscript element is disabled by default but may be enabled in custom configurations. This enables the bypassing of the cross-site scripting protection provided by TYPO3 HTML Sanitizer.

Recommendations Update to version 1.5.1 or 2.1.2 to fix the issue. As a temporary workaround, consider disabling the noscript element in custom configurations until the update is applied.