CVE-2022-23598: Reflected XSS vulnerability when rendering error messages in laminas-form

January 28, 2022

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the formElementErrors() view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. contain a patch to mitigate the vulnerability. A workaround is available. One may manually place code at the top of a view script where one calls the formElementErrors() view helper.

References

github.com/advisories/GHSA-jq4p-mq33-w375
github.com/laminas/laminas-form/security/advisories/GHSA-jq4p-mq33-w375

Detect and mitigate CVE-2022-23598 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →