CVE-2022-31109Cross-site Scripting in Laminas-diactoros

CWE-79Cross-site ScriptingCWE-444HTTP Request Smuggling4 documents4 sources
Severity
6.1MEDIUMNVD
CNA7.2
EPSS
0.5%
top 33.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Laminas Laminas-diactorosGetlaminas Laminas-diactoros
Timeline
PublishedAug 1

Description

laminas-diactoros is a PHP package containing implementations of the PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5laminas/laminas-diactoros< 2.11.1
Packagistlaminas/laminas-diactoros< 2.11.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
HTTP Host Header Attack Vulnerability in laminas-diactoros2022-08-01
GHSA
Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack2022-07-27
OSV
Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack2022-07-27
CVE-2022-31109 — Cross-site Scripting | cvebase