Zend-Form vulnerable to Cross-site Scripting

2024-06-0721:58:34

CWE-79

GitHub Advisory Database

github.com

zend framework 2

view helpers

escapehtml

escapehtmlattr

xss

attack

vulnerability

javascript

attributes

software

AI Score

5.8

Confidence

High

JSON

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

All Zend\Form view helpers.
Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
All “HTML Element” view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
Zend\View\Helper\Gravatar

Affected configurations

Vulners

Node

zendframeworkzend-formRange2.3.0–2.3.1

zendframeworkzend-formRange2.0.0–2.2.7

VendorProductVersionCPE
zendframeworkzend-form*cpe:2.3:a:zendframework:zend-form:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zendframework	zend-form	*	cpe:2.3:a:zendframework:zend-form::::::::

References

framework.zend.com/security/advisory/ZF2014-03

github.com/advisories/GHSA-gvpp-6jrj-5pqc

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-form/ZF2014-03.yaml

github.com/zendframework/zend-form/commit/6fe40314e8e3477494aadd03d62573bd1c212bd1

github.com/zendframework/zend-form/commit/d7a1f5bc4626b1df990391502a868b28c37ba65d

github.com/zendframework/zend-form/commit/fd43a951460c4bc60c77a566129705f6bdb9c61b

AI Score

5.8

Confidence

High

JSON