GHSA-hg35-vqp3-fv39 – zendframework/zendframework1

Package

Manager: composer
Name: zendframework/zendframework1
Vulnerable Version: >=1.9.0 <1.9.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

ZendFramework potential Cross-site Scripting vectors due to inconsistent encodings A number of classes, primarily within the `Zend_Form`, `Zend_Filter`, `Zend_Form`, `Zend_Log` and `Zend_View components`, contained character encoding inconsistencies whereby calls to the `htmlspecialchars()` and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.

Metadata

Created: 2024-06-07T21:14:54Z
Modified: 2024-06-07T21:14:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hg35-vqp3-fv39/GHSA-hg35-vqp3-fv39.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1