Vulnerability Database
289,697
Total vulnerabilities in the database
Zendframework has potential Cross-site Scripting vector in multiple view helpers
Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.
Vulnerable view helpers include:
- All
Zend\Formview helpers. - Most
Zend\Navigation(akaZend\View\Helper\Navigation\*) view helpers. - All "HTML Element" view helpers:
htmlFlash(),htmlPage(),htmlQuickTime(). -
Zend\View\Helper\Gravatar
| Software | From | Fixed in |
|---|---|---|
zendframework / zendframework
|
2.0.0 | 2.2.7 |
|
zendframework / zendframework
|
2.3.0 | 2.3.1 |
- https://framework.zend.com/security/advisory/ZF2014-03
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2014-03.yaml
- https://github.com/zendframework/zendframework/commit/1dd4f8cede07469390eef1e629f808349fa1b5ea
- https://github.com/zendframework/zendframework/commit/6742ddad7a7923163cea6dd58d27d0e946a402d1