LP-2020-02: XSS and RCE vectors in laminas-api-tools/api-tools-documentation-swagger
The package laminas-api-tools/api-tools-documentation-swagger bundles a number of javascript assets for purposes of providing API documentation. Some of these assets had reported XSS (cross-site scripting) and RCE (remote code execution) vulnerabilities:
- jQuery: CVE-2015-9251 (XSS)
- Handlebars: CVE-2019-19919 (RCE)
Affected versions
- laminas-api-tools/api-tools-documentation-swagger versions prior to 1.3.1.
Action Taken
The bundled assets were updated to known-good versions.
The patch resolving the vulnerability is available in laminas-api-tools/api-tools-documentation-swagger 1.3.1.
We highly recommend all users of the package to update immediately.
Acknowledgments
The Laminas Project thanks the following for identifying the issues and working with us to help protect its users:
- Kristijonas Bulzgis for advising us of the vulnerability.
- Michał Bundyra for developing the patch.
Released 2020-04-01
Have you identified a security vulnerability?
Please report it to us at security@getlaminas.org