GHSA-vvm3-rv48-j3g5: 
PHP vulnerability analysis and mitigation

A security vulnerability was identified in Zend Framework's JSON encoding functionality, specifically in the ZendJsonEncoder component. The vulnerability, tracked as GHSA-vvm3-rv48-j3g5, was discovered in January 2010 and affects multiple versions of the Zendframework1 package, including versions 1.7.0-1.7.8, 1.8.0-1.8.4, and 1.9.0-1.9.6. The issue stems from improper handling of the solidus character (/) during JSON encoding operations (Zend Advisory).

The vulnerability exists in the ZendJsonEncoder component, which failed to properly escape the solidus character (/) during JSON encoding operations. This oversight led to incompatibilities with the JSON specification and created potential security risks. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Moderate), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified under CWE-79, indicating its relationship to cross-site scripting vulnerabilities (GitHub Advisory).

The vulnerability could potentially lead to Cross-Site Scripting (XSS) or HTML injection attacks when returning HTML within a JSON string. This particularly affects users who are either using ZendJsonEncoder directly, requesting native encoding instead of using ext/json, or operating on systems where ext/json is unavailable, such as RHEL and CentOS (Zend Advisory).

The vulnerability has been patched in versions 1.7.9, 1.8.5, and 1.9.7 of the framework. The fix involves updating ZendJsonEncoder to properly escape the solidus character when encoding PHP strings to JSON. Users are strongly recommended to upgrade to these patched versions or the latest available Zend Framework release (Zend Advisory).

The vulnerability was initially reported by security researcher Pádraic Brady, who worked with the Zend Framework team to address the issue. The Zend Framework team acknowledged his contribution in helping to protect the framework's users (Zend Advisory).