LP-2020-01: XSS vectors in laminas-api-tools/api-tools

The package laminas-api-tools/api-tools bundles a number of javascript assets for purposes of providing an adminstration GUI and/or landing page. Some of these assets had reported XSS (cross-site scripting) vulnerabilities:

Affected versions

  • laminas-api-tools/api-tools versions prior to 1.4.1.

Action Taken

The bundled assets were updated to known-good versions.

The patch resolving the vulnerability is available in laminas-api-tools/api-tools 1.4.1.

We highly recommend all users of the package to update immediately.


The Laminas Project thanks the following for identifying the issues and working with us to help protect its users:

  • Kristijonas Bulzgis for advising us of the vulnerability.
  • Michał Bundyra for developing the patch.

Released 2020-04-01

Back to advisories

Have you identified a security vulnerability?

Please report it to us at security@getlaminas.org