logo

Database

Reflected cross-site scripting (XSS) In zendframework/zendframework

Description

Zendframework has potential Cross-site Scripting vector in multiple view helpers Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

    All Zend\Form view helpers.

    Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.

    All "HTML Element" view helpers: htmlFlash(), htmlPage(), htmlQuickTime().

    Zend\View\Helper\Gravatar

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-8q77-cv62-jj38

References

1. https://github.com/zendframework/zendframework/commit/1dd4f8cede07469390eef1e629f808349fa1b5ea2. https://github.com/zendframework/zendframework/commit/6742ddad7a7923163cea6dd58d27d0e946a402d13. https://framework.zend.com/security/advisory/ZF2014-034. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2014-03.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.