oss-sec mailing list archives
CVE Request -- php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 26 Sep 2012 11:51:57 -0400 (EDT)
Hello Kurt, Steve, vendors, upstream ZendFramework 2.0.1 version corrected one occurrence of cross-site scripting (XSS) flaw across multiple components (improper escaping of HTML, HTML attributes and / or URLs): [1] http://framework.zend.com/blog/zend-framework-2-0-1-released.html [2] http://framework.zend.com/security/advisory/ZF2012-03 [3] https://bugzilla.redhat.com/show_bug.cgi?id=860738 [4] https://bugs.gentoo.org/show_bug.cgi?id=436210 Relevant upstream patch: [5] https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: While the aforementioned upstream [5] patch is against the 2.0.1 branch, after backport it would be applicable also against ZendFramework 1 versions (relevant routines across the affected components - at least those I checked have same definition).
Current thread:
- CVE Request -- php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03) Jan Lieskovsky (Sep 26)