laminas/laminas-form is vulnerable to cross-site scripting (XSS) attacks. A remote unauthenticated attacker is able to inject and execute malicious javascript on victim’s browser through the unescaped submitted values when rendering validation error messages via the formElementErrors
function.
getlaminas.org/security/advisory/LP-2022-01
github.com/laminas/laminas-form/commit/43005a3ec4c2292d4f825273768d9b884acbca37
github.com/laminas/laminas-form/pull/161
github.com/laminas/laminas-form/security/advisories/GHSA-jq4p-mq33-w375
lists.fedoraproject.org/archives/list/[email protected]/message/CFF6WJ5I7PSEBRF6I753WKE2BXFBGQXE/
lists.fedoraproject.org/archives/list/[email protected]/message/SLNABVK26CE4PFL57VLY242FW3QY4CPC/