Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00djU3LXB3dmYteDM1as4AA80H
Zendframework potential Cross-site Scripting vector in `Zend_Service_ReCaptcha_MailHide`
Zend_Service_ReCaptcha_MailHide
had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of htmlentities()
did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA's email argument
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00djU3LXB3dmYteDM1as4AA80H
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-4v57-pwvf-x35j
References:
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-05.yaml
- https://web.archive.org/web/20210411002217/https://framework.zend.com/security/advisory/ZF2010-05
- https://github.com/advisories/GHSA-4v57-pwvf-x35j
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,569,545 total
Affected Version Ranges: >= 1.9.0, < 1.9.7, >= 1.8.0, < 1.8.5, >= 1.7.0, < 1.7.9
Fixed in: 1.9.7, 1.8.5, 1.7.9
All affected versions:
All unaffected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20