CVE-2022-23499 is a cross-site scripting (XSS) vulnerability affecting the TYPO3 html-sanitizer PHP library, specifically in versions prior to 1.5.0 and 2.1.1. The html-sanitizer is designed to prevent XSS by allowing only explicitly permitted HTML tags, attributes, and values. However, due to a parsing flaw in the upstream package masterminds/html5, certain malicious markup sequences involving special HTML CDATA sections bypass the sanitizer's protections. The masterminds/html5 package treats raw text elements such as <script>, <style>, <noframes>, <noembed>, and <iframe> as DOMText nodes, which are not further sanitized. Although these tags are not included in the default sanitizer configuration, custom configurations that enable these tags become vulnerable to XSS attacks. This vulnerability arises because the sanitizer fails to properly neutralize input embedded within these raw text elements, allowing attackers to inject malicious scripts that execute in the context of the victim's browser. The issue was addressed in html-sanitizer versions 1.5.0 and 2.1.1 by improving the parsing and sanitization logic to handle these raw text elements correctly. No known exploits have been reported in the wild as of the publication date, but the vulnerability poses a risk to applications using vulnerable versions with custom tag configurations that include these raw text elements.

For European organizations using TYPO3 or other PHP applications that incorporate the vulnerable html-sanitizer versions with custom configurations allowing raw text HTML elements, this vulnerability could lead to successful XSS attacks. Such attacks can compromise the confidentiality and integrity of user data by stealing session cookies, credentials, or other sensitive information. They can also lead to unauthorized actions performed on behalf of users, defacement of websites, or distribution of malware. The impact is particularly significant for organizations handling sensitive personal data, financial information, or critical services, as XSS can be a stepping stone for more advanced attacks. Given TYPO3's popularity in European public sector websites, educational institutions, and medium to large enterprises, exploitation could undermine trust and compliance with data protection regulations such as GDPR. However, since the vulnerability requires custom configurations enabling certain tags and no widespread exploitation is known, the overall risk is moderate but should not be underestimated.

Organizations should immediately audit their use of the TYPO3 html-sanitizer library to identify if they are running affected versions (>=1.0.0, <1.5.0 or >=2.0.0, <2.1.1). If so, they should upgrade to versions 1.5.0 or 2.1.1 or later, which contain the fix. Additionally, review and restrict custom sanitizer configurations to avoid enabling raw text elements such as <script>, <style>, <noframes>, <noembed>, and <iframe> unless absolutely necessary. Implement a defense-in-depth approach by applying Content Security Policy (CSP) headers to limit script execution and reduce the impact of potential XSS. Regularly scan web applications for XSS vulnerabilities using automated tools and conduct manual code reviews focusing on input sanitization. Educate developers on secure coding practices related to HTML sanitization and the risks of enabling potentially dangerous tags. Finally, monitor security advisories from TYPO3 and related projects for updates or new vulnerabilities.