GHSA-g52p-86j5-xr8q – zendframework/zendframework1

Package

Manager: composer
Name: zendframework/zendframework1
Vulnerable Version: >=1.0.0 <1.11.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

ZendFramework Potential Cross-site Scripting in Development Environment Error View Script The default error handling view script generated using `Zend_Tool` failed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector. `Zend_Tool_Project_Context_Zf_ViewScriptFile` was patched such that the view script template now calls the `escape()` method on dumped request variables. Zend Framework 1.11.4 includes a patch that adds escaping to the generated error/error.phtml view script, ensuring that request variables are escaped appropriately for the browser. Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.

Metadata

Created: 2024-06-07T21:20:39Z
Modified: 2024-06-07T21:20:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-g52p-86j5-xr8q/GHSA-g52p-86j5-xr8q.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1