Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-jq4p-mq33-w375

Опубликовано: 28 янв. 2022
Источник: github
Github: Прошло ревью
CVSS3: 6.1

Описание

Cross-site Scripting when rendering error messages in laminas-form

Impact

When rendering validation error messages via the formElementErrors() view helper shipped with laminas-form, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which can potentially lead to a Reflected Cross-Site Scripting (XSS) attack.

Patches

The following versions were issued to mitigate the vulnerability:

  • 2.17.1
  • 3.0.2
  • 3.1.1

Workarounds

At the top of a view script where you call the formElementErrors() view helper, place the following code:

use Laminas\Form\ElementInterface; use Laminas\View\PhpRenderer; $escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void { $messages = $element->getMessages(); if (! $messages) { return; } $escaped = []; array_walk_recursive( $messages, static function (string $item) use (&$escaped, $renderer): void { $escaped[] = $renderer->escapeHtml($item); } }; $element->setMessages($escaped); };

Before calling formElementErrors() with a form, fieldset, or element, call the above closure as follows

// Usage with a form // $this is the view renderer $escapeMessages($form, $this); // Usage with a fieldset // $this is the view renderer $escapeMessages($fieldset, $this); // Usage with a form element // $this is the view renderer $escapeMessages($element, $this);

For more information

If you have any questions or comments about this advisory:

Ссылки

Пакеты

Наименование

laminas/laminas-form

composer
Затронутые версииВерсия исправления

>= 3.1.0, < 3.1.1

3.1.1

Наименование

laminas/laminas-form

composer
Затронутые версииВерсия исправления

>= 3.0.0, < 3.0.2

3.0.2

Наименование

laminas/laminas-form

composer
Затронутые версииВерсия исправления

< 2.17.1

2.17.1

EPSS

Процентиль: 56%
0.00335
Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2022-23598

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2022-23598

CVSS3: 6.1
nvd
около 4 лет назад

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. Versions 3.1.1 and above contain a patch to mitigate the vulnerability. A workaround is available. One may manually place code at the top of a view script where one calls the `formElementErrors()` view helper. More information about this workaround is available on the GitHub Security Advisory.

EPSS

Процентиль: 56%
0.00335
Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2022-23598

Дефекты

CWE-79