Zend Framework < 2.0.1 Multiple XSS
Medium Nessus Network Monitor Plugin ID 9147
SynopsisThe remote host is using a version of Zend Framework that is vulnerable to multiple Cross-Site Scripting (XSS) attack vectors.
DescriptionVersions of Zend Framework earlier than 2.0.1 are exposed to flaws in the following scripts which allow remote cross-site scripting attacks :
- A flaw exists in the 'Zend\Feed\PubSubHubbub' script. (OSVDB 85683)
- A flaw exists in the 'Zend\Log\Formatter\Xml' script. (OSVDB 85684)
- A flaw exists in the 'Zend\View\Helper\Placeholder\Container\AbstractStandalone' script. (OSVDB 85685)
- A flaw exists in the 'Zend\View\Helper\Navigation\Sitemap' script. (OSVDB 85686)
- A flaw exists in the 'Zend\View\Helper\HeadStyle' script. (OSVDB 85687)
- A flaw exists in the 'Zend\Uri' script. (OSVDB 85688)
- A flaw exists in the 'Zend\Tag\Cloud\Decorator' script. (OSVDB 85689)
The application does not validate certain unspecified input upon submission to these scripts. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
SolutionUpgrade Zend Framework to version 2.0.1 or later.