Vulnerability Name:

CVE-2022-23598 (CCN-218641)

Assigned:2022-01-28
Published:2022-01-28
Updated:2022-03-25
Summary:laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. Versions 3.1.1 and above contain a patch to mitigate the vulnerability. A workaround is available. One may manually place code at the top of a view script where one calls the `formElementErrors()` view helper. More information about this workaround is available on the GitHub Security Advisory.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2022-23598

Source: XF
Type: UNKNOWN
laminasform-cve202223598-xss(218641)

Source: CCN
Type: LP-2022-01
Reflected XSS vector in laminas/laminas-form

Source: MISC
Type: Mitigation, Third Party Advisory
https://getlaminas.org/security/advisory/LP-2022-01

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/laminas/laminas-form/commit/43005a3ec4c2292d4f825273768d9b884acbca37

Source: CONFIRM
Type: Mitigation, Third Party Advisory
https://github.com/laminas/laminas-form/security/advisories/GHSA-jq4p-mq33-w375

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-c138fbb8e0

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-a42e97d8e8

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2022-23598

Vulnerable Configuration:Configuration 1:
  • cpe:/a:getlaminas:laminas-form:*:*:*:*:*:*:*:* (Version < 2.17.1)
  • OR cpe:/a:getlaminas:laminas-form:*:*:*:*:*:*:*:* (Version >= 3.0.0 and < 3.0.2)
  • OR cpe:/a:getlaminas:laminas-form:3.1.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:getlaminas:laminas-form:3.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    getlaminas laminas-form *
    getlaminas laminas-form *
    getlaminas laminas-form 3.1.0
    fedoraproject fedora 34
    fedoraproject fedora 35
    getlaminas laminas-form 3.1.0