Search for packages
| purl | pkg:composer/zendframework/zendframework1@1.7.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-24xb-s5fu-xuc2
Aliases: ZF2010-05 |
Cross-site Scripting Potential XSS vector in `Zend_Service_ReCaptcha_MailHide`. |
Affected by 29 other vulnerabilities. |
|
VCID-46j8-n7cg-3feu
Aliases: ZF2009-02 |
Cross-site Scripting XSS vector in `Zend_Filter_StripTags`. |
Affected by 29 other vulnerabilities. |
|
VCID-58xr-g2ea-z7ed
Aliases: GHSA-vvm3-rv48-j3g5 |
Zendframework Potential XSS or HTML Injection vector in Zend_Json `Zend_Json_Encoder` was not taking into account the solidus character (/) during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6j4n-cucb-5fdy
Aliases: ZF2010-02 |
Cross-site Scripting Potential XSS vector in `Zend_Dojo_View_Helper_Editor`. |
Affected by 29 other vulnerabilities. |
|
VCID-cp8b-e8wm-kfb3
Aliases: ZF2010-06 |
Cross-Site Scripting Potential Security Issues in Bundled Dojo Library. |
Affected by 29 other vulnerabilities. |
|
VCID-e2nf-wm5h-fqav
Aliases: ZF2009-01 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') File Inclusion vector in `Zend_View::setScriptPath()` and `render()`. |
Affected by 29 other vulnerabilities. |
|
VCID-e98a-dehh-ybbe
Aliases: ZF2010-03 |
Cross-site Scripting Potential XSS vector in `Zend_Filter_StripTags` when comments allowed. |
Affected by 29 other vulnerabilities. |
|
VCID-qwq5-qfwx-7fad
Aliases: GHSA-gwpm-pm6x-h7rj |
ZendFramework Cross-site Scripting vector in `Zend_Filter_StripTags` `Zend_Filter_StripTags` is a filtering class analogous to PHP's `strip_tags()` function. In addition to stripping HTML tags and selectively keeping those provided in a allowlist, it also provides the ability to allowlist specific attributes to retain per allowlisted tag. The reporter discovered that attributes that contained allowspace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were allowlisted. As examples of input affected: ``` <!-- newlines before and/or after assignment: --> <a href="http://framework.zend.com/issues" onclick = "alert('Broken'); return false;">Issues</a> ``` When passed to the following code: ``` $filter = new Zend_Filter_StripTags(array('a' => array('href'))); $value = $filter->($html); ``` then the "onclick" attribute would remain, even though it was not specified in the tag's allowlist. This could open potential cross-site scripting attack (XSS) vectors. |
Affected by 0 other vulnerabilities. |
|
VCID-rnne-hzp6-e3hp
Aliases: GHSA-4vf6-mq7w-3hp6 |
Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed Zend_Filter_StripTags contained an optional setting to allow allowlisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing allowlisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w2n5-5n2c-ryc8
Aliases: GHSA-4v57-pwvf-x35j |
Zendframework potential Cross-site Scripting vector in `Zend_Service_ReCaptcha_MailHide` `Zend_Service_ReCaptcha_MailHide` had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of `htmlentities()` did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA's email argument |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wg7p-tvdc-6yh6
Aliases: GHSA-j543-vg33-g6vj |
ZendFramework potential Cross-site Scripting vector in `Zend_Dojo_View_Helper_Editor` `Zend_Dojo_View_Helper_Editor` was incorrectly decorating a TEXTAREA instead of a DIV. The Dojo team has reported that this has security implications as the rich text editor they use is unable to escape content for a TEXTAREA. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-z8a6-g6hn-syb1
Aliases: GHSA-hx3m-959f-v849 |
ZendFramework local file inclusion vector in `Zend_View::setScriptPath()` and `render()` Zend_View is a component that utilizes PHP as a templating language. To utilize it, you specify "script paths" that contain view scripts, and then `render()` view scripts by specifying subdirectories within those script paths; the output is then returned as a string value which may be cached or directly output. `Zend_View::setScriptPath()` in versions up to and including 1.7.4 include a potential Local File Inclusion vulnerability. If untrusted input is used to specify the script path and/or view script itself, a malicious attacker could potentially specify a system directory and thus render a system file. As an example, if the user-supplied string `/etc/passwd` or a relative path that resolved to that file, was supplied to `Zend_View::render()`, that file would be rendered. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||