Zendframework potential Cross-site Scripting vector in `Zend_Service_ReCaptcha_MailHide`

Zend_Service_ReCaptcha_MailHide had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of htmlentities() did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA's email argument

Published: Jun 7, 2024
Updated: Jun 27, 2024
GHSA: GHSA-4v57-pwvf-x35j
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
zendframework / zendframework1	1.7.0	1.7.9
zendframework / zendframework1	1.8.0	1.8.5
zendframework / zendframework1	1.9.0	1.9.7

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-05.yaml
https://web.archive.org/web/20210411002217/https://framework.zend.com/security/advisory/ZF2010-05

Vulnerability Database

290,206

Zendframework potential Cross-site Scripting vector in `Zend_Service_ReCaptcha_MailHide`