Headline
GHSA-hg35-vqp3-fv39: ZendFramework potential Cross-site Scripting vectors due to inconsistent encodings
A number of classes, primarily within the Zend_Form
, Zend_Filter
, Zend_Form
, Zend_Log
and Zend_View components
, contained character encoding inconsistencies whereby calls to the htmlspecialchars()
and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-hg35-vqp3-fv39
ZendFramework potential Cross-site Scripting vectors due to inconsistent encodings
Moderate severity GitHub Reviewed Published Jun 7, 2024 to the GitHub Advisory Database • Updated Jun 7, 2024
Package
composer zendframework/zendframework1 (Composer)
Affected versions
>= 1.9.0, < 1.9.7
A number of classes, primarily within the Zend_Form, Zend_Filter, Zend_Form, Zend_Log and Zend_View components, contained character encoding inconsistencies whereby calls to the htmlspecialchars() and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.
References
- https://framework.zend.com/security/advisory/ZF2010-01
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-01.yaml
Published to the GitHub Advisory Database
Jun 7, 2024