GHSA-6v7p-5qcq-268c: Zend-Navigation vulnerable to Cross-site Scripting

June 7, 2024

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

All Zend\Form view helpers.
Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
All “HTML Element” view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
Zend\View\Helper\Gravatar

References

framework.zend.com/security/advisory/ZF2014-03
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-navigation/ZF2014-03.yaml
github.com/advisories/GHSA-6v7p-5qcq-268c
github.com/zendframework/zend-navigation

Detect and mitigate GHSA-6v7p-5qcq-268c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →