Headline
GHSA-g52p-86j5-xr8q: ZendFramework Potential Cross-site Scripting in Development Environment Error View Script
The default error handling view script generated using Zend_Tool failed to escape request parameters when run in the “development” configuration environment, providing a potential XSS attack vector.
Zend_Tool_Project_Context_Zf_ViewScriptFile was patched such that the view script template now calls the escape() method on dumped request variables.
Zend Framework 1.11.4 includes a patch that adds escaping to the generated error/error.phtml view script, ensuring that request variables are escaped appropriately for the browser. Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-g52p-86j5-xr8q
ZendFramework Potential Cross-site Scripting in Development Environment Error View Script
Moderate severity GitHub Reviewed Published Jun 7, 2024 to the GitHub Advisory Database
Package
composer zendframework/zendframework1 (Composer)
Affected versions
>= 1.0.0, < 1.11.4
Description
Published to the GitHub Advisory Database
Jun 7, 2024
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses
GHSA ID
GHSA-g52p-86j5-xr8q
Source code