LP-2020-01: XSS vectors in laminas-api-tools/api-tools

The package laminas-api-tools/api-tools bundles a number of javascript assets for purposes of providing an adminstration GUI and/or landing page. Some of these assets had reported XSS (cross-site scripting) vulnerabilities:

Bootstrap:
- CVE-2018-14042
- CVE-2019-8331
jQuery:
- CVE-2015-9251

Affected versions

laminas-api-tools/api-tools versions prior to 1.4.1.

Action Taken

The bundled assets were updated to known-good versions.

The patch resolving the vulnerability is available in laminas-api-tools/api-tools 1.4.1.

We highly recommend all users of the package to update immediately.

Acknowledgments

The Laminas Project thanks the following for identifying the issues and working with us to help protect its users:

Kristijonas Bulzgis for advising us of the vulnerability.
Michał Bundyra for developing the patch.

Released 2020-04-01

Back to advisories

Overview
Advisories
Feed

Have you identified a security vulnerability?

Please report it to us at security@getlaminas.org

LP-2020-01: XSS vectors in laminas-api-tools/api-tools¶

Affected versions¶

Action Taken¶

Acknowledgments

LP-2020-01: XSS vectors in laminas-api-tools/api-tools

Affected versions

Action Taken