GHSA-4v57-pwvf-x35j: Zendframework potential Cross-site Scripting vector in `Zend_Service_ReCaptcha_MailHide`

June 7, 2024

Zend_Service_ReCaptcha_MailHide had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of htmlentities() did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA’s email argument

References

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-05.yaml
github.com/advisories/GHSA-4v57-pwvf-x35j
github.com/zendframework/zf1
web.archive.org/web/20210411002217/https://framework.zend.com/security/advisory/ZF2010-05

Detect and mitigate GHSA-4v57-pwvf-x35j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →