Summary
ZendFramework Cross-site Scripting vector in ZendFilterStripTags
Zend_Filter_StripTags is a filtering class analogous to PHP's strip_tags() function. In addition to stripping HTML tags and selectively keeping those provided in a whitelist, it also provides the ability to whitelist specific attributes to retain per whitelisted tag.
The reporter discovered that attributes that contained whitespace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were whitelisted. As examples of input affected:
<!-- newlines before and/or after assignment: -->
<a href="http://framework.zend.com/issues" onclick
=
"alert('Broken'); return false;">Issues</a>
When passed to the following code:
$filter = new Zend_Filter_StripTags(array('a' => array('href')));
$value = $filter->($html);
then the "onclick" attribute would remain, even though it was not specified in the tag's whitelist. This could open potential cross-site scripting attack (XSS) vectors.
Recommendations
If you were using Zend_Filter_StripTags and utlizing the attribute whitelisting functionality, you should immediately upgrade to Zend Framework 1.7.6 or above; regardless, it is always best to run the most current version of the framework.
Also, if relying on Zend_Filter_StripTags to prevent XSS, the only way to reliably do so is to strip all tags, and never to whitelist. If you are whitelisting, you should consider finding a reliable XSS filter through which to run your output; we recommend HTML Purifier.
Impact
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
GHSA-GWPM-PM6X-H7RJ has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.7.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-GWPM-PM6X-H7RJ? GHSA-GWPM-PM6X-H7RJ is a medium-severity cross-site scripting (XSS) vulnerability in zendframework/zendframework1 (composer), affecting versions >= 1.7.0, < 1.7.6. It is fixed in 1.7.6. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is GHSA-GWPM-PM6X-H7RJ? GHSA-GWPM-PM6X-H7RJ has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of zendframework/zendframework1 are affected by GHSA-GWPM-PM6X-H7RJ? zendframework/zendframework1 (composer) versions >= 1.7.0, < 1.7.6 is affected.
- Is there a fix for GHSA-GWPM-PM6X-H7RJ? Yes. GHSA-GWPM-PM6X-H7RJ is fixed in 1.7.6. Upgrade to this version or later.
- Is GHSA-GWPM-PM6X-H7RJ exploitable, and should I be worried? Whether GHSA-GWPM-PM6X-H7RJ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-GWPM-PM6X-H7RJ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-GWPM-PM6X-H7RJ? Upgrade
zendframework/zendframework1to 1.7.6 or later.