ZendFramework has potential Cross-site Scripting vector in multiple view helpers

2024-06-0720:58:08

CWE-79

GitHub Advisory Database

github.com

zendframework

cross-site scripting

xss

view helpers

html attributes

user data

javascript

security vulnerabilities

AI Score

5.8

Confidence

High

JSON

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

All Zend\Form view helpers.
Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
All “HTML Element” view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
Zend\View\Helper\Gravatar

Affected configurations

Vulners

Node

zendframeworkzend-viewRange2.3.0–2.3.1

zendframeworkzend-viewRange2.0.0–2.2.7

VendorProductVersionCPE
zendframeworkzend-view*cpe:2.3:a:zendframework:zend-view:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zendframework	zend-view	*	cpe:2.3:a:zendframework:zend-view::::::::

References

framework.zend.com/security/advisory/ZF2014-03

github.com/advisories/GHSA-m7hr-j867-3f34

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-view/ZF2014-03.yaml

github.com/zendframework/zendframework/commit/12f89b587cd23dd781cde25c9dd2da75d8f829d7

github.com/zendframework/zendframework/commit/1dd4f8cede07469390eef1e629f808349fa1b5ea

github.com/zendframework/zendframework/commit/6742ddad7a7923163cea6dd58d27d0e946a402d1

github.com/zendframework/zendframework/commit/ec6c0468514c111a244552cfb7cf575a726e017e

AI Score

5.8

Confidence

High

JSON