Zendframework Potential XSS or HTML Injection vector in Zend_Json

2024-06-0721:52:44

CWE-79

GitHub Advisory Database

github.com

zendframework

json

html injection

xss

encoder

6.3 Medium

AI Score

Confidence

High

JSON

Zend_Json_Encoder was not taking into account the solidus character (/) during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string.

Affected configurations

Vulners

Node

zendframeworkzendframework1Range<1.9.7

zendframeworkzendframework1Range<1.8.5

zendframeworkzendframework1Range<1.7.9

CPENameOperatorVersion
zendframework/zendframework1lt1.9.7
zendframework/zendframework1lt1.8.5
zendframework/zendframework1lt1.7.9

Name	Operator	Version
zendframework/zendframework1	lt	1.9.7
zendframework/zendframework1	lt	1.8.5
zendframework/zendframework1	lt	1.7.9

References

github.com/advisories/GHSA-vvm3-rv48-j3g5

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-06.yaml

web.archive.org/web/20200228150030/https://framework.zend.com/security/advisory/ZF2010-06

6.3 Medium

AI Score

Confidence

High

JSON