Multiple vulnerabilities have been reported in Zend Framework, which can be exploited by malicious people to conduct cross-site scripting attacks.
Certain input passed to Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in versions prior to 2.0.1.
Update to version 2.0.1.
Please check if version 1.x is affected too.
https://security-tracker.debian.org/tracker/CVE-2012-4451 Says ZF1 is not vulnerable.
I'm unsure if gurligebis is going to provide ZF2 in the tree but the php team has decided we won't.
(In reply to comment #2)
> https://security-tracker.debian.org/tracker/CVE-2012-4451 Says ZF1 is not