LP-2020-02: XSS and RCE vectors in laminas-api-tools/api-tools-documentation-swagger
- jQuery: CVE-2015-9251 (XSS)
- Handlebars: CVE-2019-19919 (RCE)
- laminas-api-tools/api-tools-documentation-swagger versions prior to 1.3.1.
The bundled assets were updated to known-good versions.
The patch resolving the vulnerability is available in laminas-api-tools/api-tools-documentation-swagger 1.3.1.
We highly recommend all users of the package to update immediately.
The Laminas Project thanks the following for identifying the issues and working with us to help protect its users:
- Kristijonas Bulzgis for advising us of the vulnerability.
- Michał Bundyra for developing the patch.