logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-23598 laminas/laminas-form

Package

Manager: composer
Name: laminas/laminas-form
Vulnerable Version: >=3.1.0 <3.1.1 || >=3.0.0 <3.0.2 || >=0 <2.17.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00401 pctl0.59987

Details

Cross-site Scripting when rendering error messages in laminas-form ### Impact When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which can potentially lead to a Reflected Cross-Site Scripting (XSS) attack. ### Patches The following versions were issued to mitigate the vulnerability: - 2.17.1 - 3.0.2 - 3.1.1 ### Workarounds At the top of a view script where you call the `formElementErrors()` view helper, place the following code: ```php use Laminas\Form\ElementInterface; use Laminas\View\PhpRenderer; $escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void { $messages = $element->getMessages(); if (! $messages) { return; } $escaped = []; array_walk_recursive( $messages, static function (string $item) use (&$escaped, $renderer): void { $escaped[] = $renderer->escapeHtml($item); } }; $element->setMessages($escaped); }; ``` Before calling `formElementErrors()` with a form, fieldset, or element, call the above closure as follows ```php // Usage with a form // $this is the view renderer $escapeMessages($form, $this); // Usage with a fieldset // $this is the view renderer $escapeMessages($fieldset, $this); // Usage with a form element // $this is the view renderer $escapeMessages($element, $this); ``` ### For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/laminas/laminas-form/issues/new) * Email us at [security@getlaminas.org](mailto:security@getlaminas.org)

Metadata

Created: 2022-01-28T23:08:29Z
Modified: 2022-02-07T21:16:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jq4p-mq33-w375/GHSA-jq4p-mq33-w375.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jq4p-mq33-w375
Finding: F008
Auto approve: 1