GHSA-hg35-vqp3-fv39: ZendFramework potential Cross-site Scripting vectors due to inconsistent encodings

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-hg35-vqp3-fv39

ZendFramework potential Cross-site Scripting vectors due to inconsistent encodings

Moderate severity GitHub Reviewed Published Jun 7, 2024 to the GitHub Advisory Database • Updated Jun 7, 2024

Package

composer zendframework/zendframework1 (Composer)

Affected versions

>= 1.9.0, < 1.9.7

A number of classes, primarily within the Zend_Form, Zend_Filter, Zend_Form, Zend_Log and Zend_View components, contained character encoding inconsistencies whereby calls to the htmlspecialchars() and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.

References

• https://framework.zend.com/security/advisory/ZF2010-01
• https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-01.yaml

Published to the GitHub Advisory Database

Jun 7, 2024