ZendFramework vulnerable to Cross-site Scripting
Moderate severity
GitHub Reviewed
Published
Jun 7, 2024
to the GitHub Advisory Database
•
Updated Jun 7, 2024
Package
Affected versions
>= 2.0.0, < 2.0.1
Patched versions
2.0.1
Description
Published to the GitHub Advisory Database
Jun 7, 2024
Reviewed
Jun 7, 2024
Last updated
Jun 7, 2024
Zend\Debug
,Zend\Feed\PubSubHubbub
,Zend\Log\Formatter\Xml
,Zend\Tag\Cloud\Decorator
,Zend\Uri
,Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap
, andZend\View\Helper\Placeholder\Container\AbstractStandalone
were not usingZend\Escaper
when escaping HTML, HTML attributes, and/or URLs. While most were performing some escaping, because they were not using context-appropriate escaping mechanisms, they could potentially be exploited to perform Cross Site Scripting (XSS) attacks.References