oss-sec mailing list archives
Re: CVE Request -- php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03)
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 26 Sep 2012 11:38:59 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/26/2012 09:51 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, upstream ZendFramework 2.0.1 version corrected one occurrence of cross-site scripting (XSS) flaw across multiple components (improper escaping of HTML, HTML attributes and / or URLs): [1] http://framework.zend.com/blog/zend-framework-2-0-1-released.html [2] http://framework.zend.com/security/advisory/ZF2012-03 [3] https://bugzilla.redhat.com/show_bug.cgi?id=860738 [4] https://bugs.gentoo.org/show_bug.cgi?id=436210 Relevant upstream patch: [5] https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: While the aforementioned upstream [5] patch is against the 2.0.1 branch, after backport it would be applicable also against ZendFramework 1 versions (relevant routines across the affected components - at least those I checked have same definition).
Please use CVE-2012-4451 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQYz2zAAoJEBYNRVNeJnmT+jQP/jvFyH4K7Tud+syxmJ/CAuYC zujMIaneourkv65ejnWxfxsldXgrmL3DSmcZHY8nJNV8JcQZ+C2L4pH79pR1DnA/ OZIXm5AHEeOAZnwWGo7QhwOOZs8vIG9MEdwkIXZpsGdEtjQjt6EbFw/j0NAfEDFw q8yNYKH1KdiRGfhwAQhg9mMAHyrtnDMbTb4TJoc3KCLjgh7N4H608pWufZdbTHe5 HjRPwlGC+3A4IP6F5VQrlXiwlu3woP3w8nmCOEM+xVGLwWYRg+umPigzGpEU6ciq YDF63SKwBOYPI3KQz9qN2lkcxkk0/Ddh0ucNDrOPSNlhUDWmlWTEIwdIO9jGHL2M DFP9TOL+G+R9wfXEE5SYGcR3QZSeAS+0q2IZ5N+ZEn0nWvXcUfVTJuSNzILLbouf 5bIroTUW4kw73cQDKUNDiZOStawjq30/jZDvTnp2j8UoVM0CPKFLT2DnrLEqqBgK EDXCGIwt3w+yK7xEClWw/VP0VqOeEJQ+hbAairCOeBxVI5fHqNARwuxnLupH412x aBbw5s4RvmYCa7Nt+QtDyj4Ev+IvwXPe0rkJqqupKQwjDJBHeiP7ASvIaAqQAz6j IihObckVBVLO7+X4pGLloKjKXS6qoY2g/JTExXj7mVv0PHkEsKtpoCFg7bg1Xfvf 1vpkdKGoDgwgTHDgsAtH =McJy -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03) Jan Lieskovsky (Sep 26)
- Re: CVE Request -- php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03) Kurt Seifried (Sep 26)