GHSA-g52p-86j5-xr8q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g52p-86j5-xr8q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-g52p-86j5-xr8q/GHSA-g52p-86j5-xr8q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g52p-86j5-xr8q
- Published
- 2024-06-07T21:20:39Z
- Modified
- 2024-06-07T21:20:39Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- ZendFramework Potential Cross-site Scripting in Development Environment Error View Script
- Details
-
The default error handling view script generated using
Zend_Toolfailed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector.Zend_Tool_Project_Context_Zf_ViewScriptFilewas patched such that the view script template now calls theescape()method on dumped request variables.Zend Framework 1.11.4 includes a patch that adds escaping to the generated error/error.phtml view script, ensuring that request variables are escaped appropriately for the browser. Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-06-07T21:20:39Z" }- References
Affected packages
Packagist / zendframework/zendframework1
Package
- Name
- zendframework/zendframework1
- Purl
- pkg:composer/zendframework/zendframework1