Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Reflected XSS vulnerability when rendering error messages in laminas-form
Vulnerability Description
laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. Versions 3.1.1 and above contain a patch to mitigate the vulnerability. A workaround is available. One may manually place code at the top of a view script where one calls the `formElementErrors()` view helper. More information about this workaround is available on the GitHub Security Advisory.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
laminas-form 跨站脚本漏洞
Vulnerability Description
laminas-form是一个开源库,主要用作域模型和视图层之间的桥梁。它由一个表示表单元素的薄对象层、一个 InputFilter 和少量用于将数据绑定到表单和附加对象的方法。 laminas-form 存在安全漏洞,该漏洞源于当通过 laminas-form 附带的 formElementErrors() 视图助手呈现验证错误消息时,许多消息将包含提交的值。
CVSS Information
N/A
Vulnerability Type
N/A