Zend_Json_Encoder was not taking into account the solidus character (
during encoding, leading to incompatibilities with the JSON specification, and
opening the potential for XSS or HTML injection attacks when returning HTML
within a JSON string.
Zend_Json_Encoder was patched to escape the solidus character when encoding
PHP strings to JSON.
This particular vulnerability only affects those users who are either (a) using
Zend_Json_Encoder directly, (b) requesting native encoding instead of usage of
ext/json (e.g., by enabling the static
$useBuiltinEncoderDecoder property of
Zend_Json), or (c) on systems where
ext/json is unavailable (e.g. RHEL,
CentOS). If you are affected, we strongly recommend upgrading to the latest
available Zend Framework release, or one of the following releases, immediately.
The Zend Framework team thanks the following for working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org