Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed

2024-06-0722:09:17

CWE-79

GitHub Advisory Database

github.com

zend_filter_striptags

vulnerability

html comments

cross-site scripting

security

browser

6 Medium

AI Score

Confidence

High

JSON

Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.

Affected configurations

Vulners

Node

zendframeworkzendframework1Range<1.9.7

zendframeworkzendframework1Range<1.8.5

zendframeworkzendframework1Range<1.7.9

CPENameOperatorVersion
zendframework/zendframework1lt1.9.7
zendframework/zendframework1lt1.8.5
zendframework/zendframework1lt1.7.9

Name	Operator	Version
zendframework/zendframework1	lt	1.9.7
zendframework/zendframework1	lt	1.8.5
zendframework/zendframework1	lt	1.7.9

References

github.com/advisories/GHSA-4vf6-mq7w-3hp6

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-03.yaml

web.archive.org/web/20210411020019/https://framework.zend.com/security/advisory/ZF2010-03

6 Medium

AI Score

Confidence

High

JSON