PT-2022-16114 · Laminas · Laminas-Form

Weierophinney

·

Published

2022-01-28

·

Updated

2022-03-25

·

CVE-2022-23598

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions laminas-form versions prior to 2.17.1 laminas-form versions prior to 3.0.2 laminas-form versions prior to 3.1.1
Description The laminas-form package is used for validating and displaying simple and complex forms. When rendering validation error messages via the formElementErrors() view helper, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack.
Recommendations For laminas-form versions prior to 2.17.1, update to version 2.17.1 or above to mitigate the vulnerability. For laminas-form versions prior to 3.0.2, update to version 3.0.2 or above to mitigate the vulnerability. For laminas-form versions prior to 3.1.1, update to version 3.1.1 or above to mitigate the vulnerability. As a temporary workaround, manually place code at the top of a view script where the formElementErrors() view helper is called to escape the submitted values for HTML contexts. Use the following code:
php
use LaminasFormElementInterface;
use LaminasViewPhpRenderer;

$escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void {
  $messages = $formOrElement->getMessages();
  if (! $messages) {
    return;
  }

  $escaped = [];
  array walk recursive(
    $messages,
    static function (string $item) use (&$escaped, $renderer): void {
      $escaped[] = $renderer->escapeHtml($item);
    }
  );

  $formOrElement->setMessages($escaped);
};
Before calling formElementErrors() with a form, fieldset, or element, call the above closure as follows:
php
// Usage with a form
// $this is the view renderer
$escapeMessages($form, $this);

// Usage with a fieldset
// $this is the view renderer
$escapeMessages($fieldset, $this);

// Usage with a form element
// $this is the view renderer
$escapeMessages($element, $this);

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-23598
GHSA-JQ4P-MQ33-W375

Affected Products

Laminas-Form