Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.
Vulnerable view helpers include:
Zend\Form
view helpers.Zend\Navigation
(aka Zend\View\Helper\Navigation\*
) view helpers.htmlFlash()
, htmlPage()
, htmlQuickTime()
.Zend\View\Helper\Gravatar
Vendor | Product | Version | CPE |
---|---|---|---|
zendframework | zend-form | * | cpe:2.3:a:zendframework:zend-form:*:*:*:*:*:*:*:* |
framework.zend.com/security/advisory/ZF2014-03
github.com/advisories/GHSA-gvpp-6jrj-5pqc
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-form/ZF2014-03.yaml
github.com/zendframework/zend-form/commit/6fe40314e8e3477494aadd03d62573bd1c212bd1
github.com/zendframework/zend-form/commit/d7a1f5bc4626b1df990391502a868b28c37ba65d
github.com/zendframework/zend-form/commit/fd43a951460c4bc60c77a566129705f6bdb9c61b