Zendframework has potential Cross-site Scripting vector in multiple view helpers

2024-06-0720:04:04

Google

osv.dev

zendframework

xss

view helpers

escapehtml

escapehtmlattr

html element

gravatar

5.8 Medium

AI Score

Confidence

High

JSON

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

All Zend\Form view helpers.
Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
All “HTML Element” view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
Zend\View\Helper\Gravatar

CPENameOperatorVersion
zendframework/zendframeworkeq2.2.0rc2
zendframework/zendframeworkeq2.2.1
zendframework/zendframeworkeq2.0.3
zendframework/zendframeworkeq2.0.8
zendframework/zendframeworkeq2.2.4
zendframework/zendframeworkeq2.0.5
zendframework/zendframeworkeq2.0.0
zendframework/zendframeworkeq2.2.0
zendframework/zendframeworkeq2.0.4
zendframework/zendframeworkeq2.1.2

Name	Operator	Version
zendframework/zendframework	eq	2.2.0rc2
zendframework/zendframework	eq	2.2.1
zendframework/zendframework	eq	2.0.3
zendframework/zendframework	eq	2.0.8
zendframework/zendframework	eq	2.2.4
zendframework/zendframework	eq	2.0.5
zendframework/zendframework	eq	2.0.0
zendframework/zendframework	eq	2.2.0
zendframework/zendframework	eq	2.0.4
zendframework/zendframework	eq	2.1.2

Rows per page:

1-10 of 271

References

framework.zend.com/security/advisory/ZF2014-03

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2014-03.yaml

github.com/zendframework/zendframework

github.com/zendframework/zendframework/commit/1dd4f8cede07469390eef1e629f808349fa1b5ea

github.com/zendframework/zendframework/commit/6742ddad7a7923163cea6dd58d27d0e946a402d1

5.8 Medium

AI Score

Confidence

High

JSON