Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00dmY2LW1xN3ctM2hwNs4AA80L
Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed
Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.
Permalink: https://github.com/advisories/GHSA-4vf6-mq7w-3hp6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00dmY2LW1xN3ctM2hwNs4AA80L
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-4vf6-mq7w-3hp6
References:
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-03.yaml
- https://web.archive.org/web/20210411020019/https://framework.zend.com/security/advisory/ZF2010-03
- https://github.com/advisories/GHSA-4vf6-mq7w-3hp6
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,569,545 total
Affected Version Ranges: >= 1.9.0, < 1.9.7, >= 1.8.0, < 1.8.5, >= 1.7.0, < 1.7.9
Fixed in: 1.9.7, 1.8.5, 1.7.9
All affected versions:
All unaffected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20