Date: Wed, 26 Sep 2012 11:51:57 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security@...ts.openwall.com Subject: CVE Request -- php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03) Hello Kurt, Steve, vendors, upstream ZendFramework 2.0.1 version corrected one occurrence of cross-site scripting (XSS) flaw across multiple components (improper escaping of HTML, HTML attributes and / or URLs):  http://framework.zend.com/blog/zend-framework-2-0-1-released.html  http://framework.zend.com/security/advisory/ZF2012-03  https://bugzilla.redhat.com/show_bug.cgi?id=860738  https://bugs.gentoo.org/show_bug.cgi?id=436210 Relevant upstream patch:  https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: While the aforementioned upstream  patch is against the 2.0.1 branch, after backport it would be applicable also against ZendFramework 1 versions (relevant routines across the affected components - at least those I checked have same definition).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.