Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNTJwLTg2ajUteHI4cc4AA8zx
ZendFramework Potential Cross-site Scripting in Development Environment Error View Script
The default error handling view script generated using Zend_Tool failed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector.
Zend_Tool_Project_Context_Zf_ViewScriptFile was patched such that the view script template now calls the escape() method on dumped request variables.
Zend Framework 1.11.4 includes a patch that adds escaping to the generated error/error.phtml view script, ensuring that request variables are escaped appropriately for the browser.
Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNTJwLTg2ajUteHI4cc4AA8zx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-g52p-86j5-xr8q
References:
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2011-01.yaml
- https://web.archive.org/web/20210120123405/https://framework.zend.com/security/advisory/ZF2011-01
- https://github.com/advisories/GHSA-g52p-86j5-xr8q
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,569,545 total
Affected Version Ranges: >= 1.0.0, < 1.11.4
Fixed in: 1.11.4
All affected versions:
All unaffected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20