CVE-2022-23598

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 28-01-2022 11:15

Last modified: - 07-10-2022 05:11

Total changes: - 7

Description

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. Versions 3.1.1 and above contain a patch to mitigate the vulnerability. A workaround is available. One may manually place code at the top of a view script where one calls the `formElementErrors()` view helper. More information about this workaround is available on the GitHub Security Advisory.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

Low

Integrity

None

Privileges required

Changed

Scope

Required

User interaction

6.1

Base score

2.8

2.7

Exploitability score

Impact score

Verification logic

Reference

https://getlaminas.org/security/advisory/LP-2022-01
https://github.com/laminas/laminas-form/commit/43005a3ec4c2292d4f825273768d9b884acbca37
https://github.com/laminas/laminas-form/security/advisories/GHSA-jq4p-mq33-w375
FEDORA-2022-c138fbb8e0-Mailing List, Third Party Advisory
FEDORA-2022-a42e97d8e8-Mailing List, Third Party Advisory

Keywords

CVE-2022-23598

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2022-23598

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures