GHSA-jq4p-mq33-w375
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jq4p-mq33-w375
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jq4p-mq33-w375/GHSA-jq4p-mq33-w375.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jq4p-mq33-w375
- Aliases
- Published
- 2022-01-28T23:08:29Z
- Modified
- 2024-02-19T05:32:54.368200Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-site Scripting when rendering error messages in laminas-form
- Details
-
Impact
When rendering validation error messages via the
formElementErrors()view helper shipped with laminas-form, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which can potentially lead to a Reflected Cross-Site Scripting (XSS) attack.Patches
The following versions were issued to mitigate the vulnerability:
- 2.17.1
- 3.0.2
- 3.1.1
Workarounds
At the top of a view script where you call the
formElementErrors()view helper, place the following code:use Laminas\Form\ElementInterface; use Laminas\View\PhpRenderer; $escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void { $messages = $element->getMessages(); if (! $messages) { return; } $escaped = []; array_walk_recursive( $messages, static function (string $item) use (&$escaped, $renderer): void { $escaped[] = $renderer->escapeHtml($item); } }; $element->setMessages($escaped); };Before calling
formElementErrors()with a form, fieldset, or element, call the above closure as follows// Usage with a form // $this is the view renderer $escapeMessages($form, $this); // Usage with a fieldset // $this is the view renderer $escapeMessages($fieldset, $this); // Usage with a form element // $this is the view renderer $escapeMessages($element, $this);For more information
If you have any questions or comments about this advisory:
- Open an issue
- Email us at security@getlaminas.org
- Database specific
{ "nvd_published_at": "2022-01-28T22:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-01-28T18:49:08Z" }- References
-
- https://github.com/laminas/laminas-form/security/advisories/GHSA-jq4p-mq33-w375
- https://nvd.nist.gov/vuln/detail/CVE-2022-23598
- https://github.com/laminas/laminas-form/commit/43005a3ec4c2292d4f825273768d9b884acbca37
- https://getlaminas.org/security/advisory/LP-2022-01
- https://github.com/laminas/laminas-form
- https://github.com/laminas/laminas-form/releases/tag/2.17.1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFF6WJ5I7PSEBRF6I753WKE2BXFBGQXE
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLNABVK26CE4PFL57VLY242FW3QY4CPC
Affected packages
Packagist / laminas/laminas-form
Package
- Name
- laminas/laminas-form
- Purl
- pkg:composer/laminas/laminas-form
Packagist / laminas/laminas-form
Package
- Name
- laminas/laminas-form
- Purl
- pkg:composer/laminas/laminas-form
Packagist / laminas/laminas-form
Package
- Name
- laminas/laminas-form
- Purl
- pkg:composer/laminas/laminas-form
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.17.1
Affected versions
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0rc1
2.2.0rc2
2.2.0rc3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0rc1
2.4.0rc2
2.4.0rc3
2.4.0rc4
2.4.0rc5
2.4.0rc6
2.4.0rc7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.4.12
2.4.13
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.14.1
2.14.2
2.14.3
2.14.4
2.14.5
2.14.6
2.15.0
2.15.1
2.16.0
2.16.1
2.16.2
2.16.3
2.17.0