Zendframework potential Cross-site Scripting vector in `Zend_Service_ReCaptcha_MailHide`

2024-06-0721:59:20

CWE-79

GitHub Advisory Database

github.com

zendframework

cross-site scripting

xss

vulnerability

email address

htmlentities

multibyte string

attack

captcha

software

6.2 Medium

AI Score

Confidence

High

JSON

Zend_Service_ReCaptcha_MailHide had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of htmlentities() did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA’s email argument

Affected configurations

Vulners

Node

zendframeworkzendframework1Range<1.9.7

zendframeworkzendframework1Range<1.8.5

zendframeworkzendframework1Range<1.7.9

CPENameOperatorVersion
zendframework/zendframework1lt1.9.7
zendframework/zendframework1lt1.8.5
zendframework/zendframework1lt1.7.9

Name	Operator	Version
zendframework/zendframework1	lt	1.9.7
zendframework/zendframework1	lt	1.8.5
zendframework/zendframework1	lt	1.7.9

References

github.com/advisories/GHSA-4v57-pwvf-x35j

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-05.yaml

web.archive.org/web/20210411002217/https://framework.zend.com/security/advisory/ZF2010-05

6.2 Medium

AI Score

Confidence

High

JSON