ZendFramework potential Cross-site Scripting vector in `Zend_Dojo_View_Helper_Editor`

Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV. The Dojo team has reported that this has security implications as the rich text editor they use is unable to escape content for a TEXTAREA.

Published: Jun 7, 2024
Updated: Jun 27, 2024
GHSA: GHSA-j543-vg33-g6vj
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
zendframework / zendframework1	1.7.0	1.7.9
zendframework / zendframework1	1.8.0	1.8.5
zendframework / zendframework1	1.9.0	1.9.7

https://framework.zend.com/security/advisory/ZF2010-02
https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-02.yaml

Vulnerability Database

290,206

ZendFramework potential Cross-site Scripting vector in `Zend_Dojo_View_Helper_Editor`