6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-gvpp-6jrj-5pqc

GHSA-gvpp-6jrj-5pqc: Zend-Form vulnerable to Cross-site Scripting

Many Zend Framework 2 view helpers were using the escapeHtml() view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr(). In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors.

Vulnerable view helpers include:

All Zend\Form view helpers.
Most Zend\Navigation (aka Zend\View\Helper\Navigation\*) view helpers.
All "HTML Element" view helpers: htmlFlash(), htmlPage(), htmlQuickTime().
Zend\View\Helper\Gravatar

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-gvpp-6jrj-5pqc

GHSA-gvpp-6jrj-5pqc:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zend-form	composer	>= 2.0.0, < 2.2.7	2.2.7
zendframework/zend-form	composer	>= 2.3.0, < 2.3.1	2.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper escaping in HTML attribute contexts. The commit diff shows the AbstractHelper's createAttributesString method was modified to use escapeHtmlAttr() instead of escapeHtml() for attribute values. Since this is a base class for form view helpers, this vulnerability affected all Zend\Form view helpers. The CWE-79 context confirms this is an XSS issue caused by improper escaping during HTML attribute generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-gvpp-6jrj-5pqc: Zend-Form vulnerable to Cross-site Scripting

GHSA-gvpp-6jrj-5pqc:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

6.1

6.1

GHSA-gvpp-6jrj-5pqc: Zend-Form vulnerable to Cross-site Scripting

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI