Описание
Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed
Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.
Пакеты
Наименование
zendframework/zendframework1
composer
Затронутые версииВерсия исправления
>= 1.7.0, < 1.7.9
1.7.9
Наименование
zendframework/zendframework1
composer
Затронутые версииВерсия исправления
>= 1.8.0, < 1.8.5
1.8.5
Наименование
zendframework/zendframework1
composer
Затронутые версииВерсия исправления
>= 1.9.0, < 1.9.7
1.9.7
6.1 Medium
CVSS3
Дефекты
CWE-79
6.1 Medium
CVSS3
Дефекты
CWE-79