Описание
Zend-Navigation vulnerable to Cross-site Scripting
Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.
Vulnerable view helpers include:
- All
Zend\Formview helpers. - Most
Zend\Navigation(akaZend\View\Helper\Navigation\*) view helpers. - All "HTML Element" view helpers:
htmlFlash(),htmlPage(),htmlQuickTime(). Zend\View\Helper\Gravatar
Пакеты
Наименование
zendframework/zend-navigation
composer
Затронутые версииВерсия исправления
>= 2.0.0, < 2.2.7
2.2.7
Наименование
zendframework/zend-navigation
composer
Затронутые версииВерсия исправления
>= 2.3.0, < 2.3.1
2.3.1
7.5 High
CVSS3
Дефекты
CWE-352
7.5 High
CVSS3
Дефекты
CWE-352