Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 436210 (CVE-2012-4451) - dev-php/ZendFramework: Multiple Cross-Site Scripting Vulnerabilities (CVE-2012-4451)
Summary: dev-php/ZendFramework: Multiple Cross-Site Scripting Vulnerabilities (CVE-201...
Status: RESOLVED INVALID
Alias: CVE-2012-4451
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-25 12:15 UTC by Agostino Sarubbo
Modified: 2013-01-15 23:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-09-25 12:15:08 UTC
Description
Multiple vulnerabilities have been reported in Zend Framework, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain input passed to Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in versions prior to 2.0.1.


Solution
Update to version 2.0.1.
Comment 1 Agostino Sarubbo gentoo-dev 2012-09-25 12:15:48 UTC
@maintainer:

Please check if version 1.x is affected too.
Comment 2 Matti Bickel (RETIRED) gentoo-dev 2013-01-09 20:20:52 UTC
https://security-tracker.debian.org/tracker/CVE-2012-4451 Says ZF1 is not vulnerable.

I'm unsure if gurligebis is going to provide ZF2 in the tree but the php team has decided we won't.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 23:20:16 UTC
(In reply to comment #2)
> https://security-tracker.debian.org/tracker/CVE-2012-4451 Says ZF1 is not
> vulnerable.
> 

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10

Agreed.