6.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-hg35-vqp3-fv39

EPSS Score

CWE

CWE-79

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hg35-vqp3-fv39

GHSA-hg35-vqp3-fv39: ZendFramework potential Cross-site Scripting vectors due to inconsistent encodings

A number of classes, primarily within the Zend_Form, Zend_Filter, Zend_Form, Zend_Log and Zend_View components, contained character encoding inconsistencies whereby calls to the htmlspecialchars() and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-hg35-vqp3-fv39

EPSS Score

CWE

CWE-79

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zendframework1	composer	>= 1.9.0, < 1.9.7	1.9.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper use of PHP's core escaping functions (htmlspecialchars/htmlentities) without proper charset specification. The advisory explicitly identifies these functions as problematic when used with hard-coded/undefined charset parameters across multiple components. While exact file paths aren't provided in references, the pattern of insecure function usage is clearly documented in the security advisory and consistent with XSS vulnerabilities caused by encoding mismatches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* num**r o* *l*ss*s, prim*rily wit*in t** `Z*n*_*orm`, `Z*n*_*ilt*r`, `Z*n*_*orm`, `Z*n*_Lo*` *n* `Z*n*_Vi*w *ompon*nts`, *ont*in** ***r**t*r *n*o*in* in*onsist*n*i*s w**r**y **lls to t** `*tmlsp**i*l***rs()` *n* *tml*ntiti*s() *un*tions us** un***in

Reasoning

T** vuln*r**ility st*ms *rom improp*r us* o* `P*P`'s *or* *s**pin* *un*tions (`*tmlsp**i*l***rs`/`*tml*ntiti*s`) wit*out prop*r ***rs*t sp**i*i**tion. T** **visory *xpli*itly i**nti*i*s t**s* *un*tions *s pro*l*m*ti* w**n us** wit* **r*-*o***/un***in

6.1

Basic Information

Concerned about an active attack path?

GHSA-hg35-vqp3-fv39: ZendFramework potential Cross-site Scripting vectors due to inconsistent encodings

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI