Zend-Form vulnerable to Cross-site Scripting
Moderate severity
GitHub Reviewed
Published
Jun 7, 2024
to the GitHub Advisory Database
•
Updated Jun 7, 2024
Package
Affected versions
>= 2.0.0, < 2.2.7
>= 2.3.0, < 2.3.1
Patched versions
2.2.7
2.3.1
Description
Published to the GitHub Advisory Database
Jun 7, 2024
Reviewed
Jun 7, 2024
Last updated
Jun 7, 2024
Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.
Vulnerable view helpers include:
Zend\Form
view helpers.Zend\Navigation
(akaZend\View\Helper\Navigation\*
) view helpers.htmlFlash()
,htmlPage()
,htmlQuickTime()
.Zend\View\Helper\Gravatar
References