QwikSec

Security Database

CVE

CWE

Training

CVE-2022-23598

Published: Jan 28, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. Versions 3.1.1 and above contain a patch to mitigate the vulnerability. A workaround is available. One may manually place code at the top of a view script where one calls the `formElementErrors()` view helper. More information about this workaround is available on the GitHub Security Advisory.

Vendor	Product	Versions
laminas	laminas-form	affected `< 3.1.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/laminas/laminas-form/security/advisories/GHSA-jq4p-mq33-w375

x_refsource_CONFIRM

https://github.com/laminas/laminas-form/commit/43005a3ec4c2292d4f825273768d9b884acbca37

x_refsource_MISC

https://getlaminas.org/security/advisory/LP-2022-01

x_refsource_MISC

FEDORA-2022-a42e97d8e8

vendor-advisory

x_refsource_FEDORA

FEDORA-2022-c138fbb8e0

vendor-advisory

x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.