Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseGHSA-gwpm-pm6x-h7rj
GHSA-gwpm-pm6x-h7rj:
PHP vulnerability analysis and mitigation
Overview
A Cross-Site Scripting (XSS) vulnerability was discovered in Zend Framework's ZendFilterStripTags component, affecting versions 1.7.0 through 1.7.6. The vulnerability allows attackers to bypass attribute whitelisting when attributes contain whitespace or line breaks surrounding the attribute assignment operator, potentially enabling XSS attacks. The issue was disclosed on February 27, 2009, and was assigned the identifier GHSA-gwpm-pm6x-h7rj (GitHub Advisory, Zend Advisory).
Technical details
The vulnerability exists in the ZendFilterStripTags class, which is designed to function similarly to PHP's strip_tags() function. The component fails to properly handle attributes containing whitespace or line breaks around the attribute assignment operator, causing these attributes to remain in the output even when they are not explicitly whitelisted. For example, when using a filter configured to only allow 'href' attributes on 'a' tags, malicious 'onclick' attributes would still persist in the output if they contained specific whitespace patterns. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Moderate), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).
Impact
The vulnerability could allow attackers to execute cross-site scripting (XSS) attacks by bypassing the attribute whitelisting mechanism. This could lead to unauthorized script execution in users' browsers, potentially compromising user data and session information. The impact is particularly significant in applications that rely on ZendFilterStripTags for XSS prevention (Zend Advisory).
Mitigation and workarounds
Users are strongly advised to upgrade to Zend Framework version 1.7.6 or later, which contains the patch for this vulnerability. For additional security, it is recommended to strip all tags rather than using whitelisting when relying on ZendFilterStripTags for XSS prevention. If whitelisting is necessary, users should consider implementing alternative XSS filtering solutions, such as HTML Purifier (Zend Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management