GHSA-gqqf-g5r7-84vf: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-gqqf-g5r7-84vf) is a Cross-Site Scripting (XSS) protection bypass in TYPO3's HTML Sanitizer, discovered and disclosed on September 13, 2022. This security flaw affects multiple versions of TYPO3 including 7.0.0-7.6.57, 8.0.0-8.7.47, 9.0.0-9.5.36, 10.0.0-10.4.31, and 11.0.0-11.5.15. The vulnerability has been assigned a CVSS score of 5.7 (Moderate severity) (GitHub Advisory).

The vulnerability stems from a parsing issue in the upstream package masterminds/html5, where malicious markup used in a sequence with special HTML comments cannot be properly filtered and sanitized. This weakness enables attackers to bypass the cross-site scripting protection mechanism implemented in typo3/html-sanitizer. The vulnerability has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it requires network access and user interaction but no privileges (GitHub Advisory).

The vulnerability can lead to cross-site scripting attacks, potentially compromising data confidentiality and integrity. The CVSS metrics indicate low impact on both confidentiality and integrity, with no impact on availability. The scope is changed, meaning the vulnerable component can impact resources beyond its security scope (GitHub Advisory).

The vulnerability has been patched in TYPO3 versions 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32, and 11.5.16. Users are strongly advised to update to these patched versions to protect against this security issue. The fix includes an upgrade to typo3/html-sanitizer v2.0.16 and masterminds/html5 v2.7.6 (TYPO3 Commit).