Name of the Vulnerable Software and Affected Versions Zend Framework 2 (affected versions not specified)

Description The issue arises from the use of the escapeHtml() view helper instead of the more appropriate escapeHtmlAttr() to escape HTML attributes in various Zend Framework 2 view helpers. This can lead to potential cross-site scripting (XSS) attack vectors when user data and/or JavaScript are used to seed attributes. The affected view helpers include all ZendForm view helpers, most ZendNavigation view helpers, all HTML Element view helpers such as htmlFlash(), htmlPage(), htmlQuickTime(), and ZendViewHelperGravatar.

Recommendations For all affected versions, consider updating the view helpers to use escapeHtmlAttr() instead of escapeHtml() to properly escape HTML attributes and mitigate the risk of XSS attacks. As a temporary workaround, consider restricting user input and JavaScript usage in attributes to minimize the risk of exploitation. Restrict access to the vulnerable view helpers, such as those in ZendForm, ZendNavigation, and HTML Element view helpers, to minimize the risk of exploitation.