id: zend-v1-xss info: name: ZendFramework 1.12.2 - Cross-Site Scripting author: c3l3si4n severity: medium description: | ZendFramework of versions <=1.12.2 contain a cross-site scripting vulnerability via an arbitrarily supplied parameter. reference: - https://twitter.com/c3l3si4n/status/1600035722148212737 classification: cpe: cpe:2.3:a:zend:zend_framework:1.12.2:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: zend product: zend_framework google-query: inurl:"/tests/Zend/Http/" tags: zend,zendframework,xss http: - method: GET path: - "{{BaseURL}}/vendor/diablomedia/zendframework1-http/tests/Zend/Http/Client/_files/testRedirections.php?redirection=3¶m=" - "{{BaseURL}}/tests/Zend/Http/Client/_files/testRedirections.php?redirection=3¶m=" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '"redirection"]' - '"param"' - '