Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zend Framework < 2.0.1 Multiple XSS

Medium

Synopsis

The remote host is using a version of Zend Framework that is vulnerable to multiple Cross-Site Scripting (XSS) attack vectors.

Description

Versions of Zend Framework earlier than 2.0.1 are exposed to flaws in the following scripts which allow remote cross-site scripting attacks :

- A flaw exists in the 'Zend\Feed\PubSubHubbub' script. (OSVDB 85683) - A flaw exists in the 'Zend\Log\Formatter\Xml' script. (OSVDB 85684) - A flaw exists in the 'Zend\View\Helper\Placeholder\Container\AbstractStandalone' script. (OSVDB 85685) - A flaw exists in the 'Zend\View\Helper\Navigation\Sitemap' script. (OSVDB 85686) - A flaw exists in the 'Zend\View\Helper\HeadStyle' script. (OSVDB 85687) - A flaw exists in the 'Zend\Uri' script. (OSVDB 85688) - A flaw exists in the 'Zend\Tag\Cloud\Decorator' script. (OSVDB 85689)

The application does not validate certain unspecified input upon submission to these scripts. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Solution

Upgrade Zend Framework to version 2.0.1 or later.