GHSA-4vf6-mq7w-3hp6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4vf6-mq7w-3hp6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4vf6-mq7w-3hp6/GHSA-4vf6-mq7w-3hp6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4vf6-mq7w-3hp6
- Published
- 2024-06-07T22:09:17Z
- Modified
- 2024-06-07T22:09:17Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed
- Details
-
ZendFilterStripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-06-07T22:09:17Z" }- References
Affected packages
Packagist / zendframework/zendframework1
Package
- Name
- zendframework/zendframework1
- Purl
- pkg:composer/zendframework/zendframework1
Packagist / zendframework/zendframework1
Package
- Name
- zendframework/zendframework1
- Purl
- pkg:composer/zendframework/zendframework1
Packagist / zendframework/zendframework1
Package
- Name
- zendframework/zendframework1
- Purl
- pkg:composer/zendframework/zendframework1