CVE-2022-23598Cross-site Scripting in Laminas-form

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.3%
top 43.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Laminas Laminas-formGetlaminas Laminas-formFedoraproject Fedora
Timeline
PublishedJan 28

Description

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. Versions 3.1.1 and above contain a patch to mitigate the vulnerability. A workaround is

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5laminas/laminas-form< 3.1.1
Packagistlaminas/laminas-form3.1.03.1.1+2
NVDgetlaminas/laminas-form3.0.03.0.2+2

Also affects: Fedora 34, 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
Cross-site Scripting when rendering error messages in laminas-form2022-01-28
OSV
Cross-site Scripting when rendering error messages in laminas-form2022-01-28
CVE-2022-23598 — Cross-site Scripting in Laminas-form | cvebase