=====================================================================

                             CERT-Renater

                   Note d'Information No. 2021/VULN092
____________________________________________________________________

DATE                : 23/02/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running TYPO3 CMS versions prior
                    to 11.5.7 LTS, 10.4.25 LTS, 9.5.33 ELTS, 8.7.45 ELTS,
                                      7.6.56 ELTS.

=====================================================================
https://typo3.org/security/advisory/typo3-psa-2022-001
_____________________________________________________________________


Tue. 22nd February, 2022
TYPO3-PSA-2022-001: Sanitization bypass in SVG Sanitizer
Categories: Development, Security, TYPO3 CMS
Created by Oliver Hader

Third-party package enshrined/svg-sanitize, used by TYPO3 core
packages, was susceptible to bypassing the sanitization strategy.

Component Type: TYPO3 CMS
Subcomponent: SVG Sanitizer (based on enshrined/svg-sanitize)
Release Date: February 22nd, 2022
Impact: Cross-Site Scripting
Affected Versions: All LTS (v11, v10) & ELTS (v9, v8, v7)
Type: Advisory
References: CVE-2022-23638


Problem Description
The SVG sanitizer library enshrined/svg-sanitize before version
0.15.0 did not remove HTML elements wrapped in a CDATA section. As
a result, SVG content embedded in HTML (fetched as text/html) was
susceptible to cross-site scripting. Plain SVG files (fetched as
image/svg+xml) were not affected.

Example A: SVG file fetched directly (mime-type image/svg+xml)
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
     <!--><img src onerror=alert(1)><!-->
     <![CDATA[ ><img src onerror=alert(2)> ]]>
</svg>
The example above is not considered a vulnerability, since <img> is
not evaluated in this context.

Example B: SVG embedded in HTML (mime-type text/html)
<html><body>
<div>
     <svg xmlns="http://www.w3.org/2000/svg">
         <!--><img src onerror=alert(1)><!-->
         <![CDATA[ ><img src onerror=alert(2)> ]]>
     </svg>
</div>
</body></html>
The example above shows a vulnerable scenario, since both
nested <img> occurrences break out of the SVG context and
get interpreted in the embedding HTML context.

Examples were extracted from
https://github.com/darylldoyle/svg-sanitizer/issues/71.


Solution
In case SVG markup is embedded inline in HTML markup - please
upgrade those projects to TYPO3 versions 11.5.7 LTS,
10.4.25 LTS, 9.5.33 ELTS, 8.7.45 ELTS or 7.6.56 ELTS which use
an upgraded version of the third-party SVG sanitizer library.


General Advice
Follow the recommendations given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


=========================================================
+ CERT-RENATER       | tel : 01-53-94-20-44             +
+ 23/25 Rue Daviel   | fax : 01-53-94-20-41             +
+ 75013 Paris        | email:cert@support.renater.fr    +
=========================================================