Zendframework Potential XSS or HTML Injection vector in Zend_Json

Zend_Json_Encoder was not taking into account the solidus character (/) during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string.

Published: Jun 7, 2024
Updated: Jun 27, 2024
GHSA: GHSA-vvm3-rv48-j3g5
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
zendframework / zendframework1	1.7.0	1.7.9
zendframework / zendframework1	1.8.0	1.8.5
zendframework / zendframework1	1.9.0	1.9.7

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-06.yaml
https://web.archive.org/web/20200228150030/https://framework.zend.com/security/advisory/ZF2010-06

Vulnerability Database

290,206

Zendframework Potential XSS or HTML Injection vector in Zend_Json