LP-2020-02: XSS and RCE vectors in laminas-api-tools/api-tools-documentation-swagger

The package laminas-api-tools/api-tools-documentation-swagger bundles a number of javascript assets for purposes of providing API documentation. Some of these assets had reported XSS (cross-site scripting) and RCE (remote code execution) vulnerabilities:

Affected versions

  • laminas-api-tools/api-tools-documentation-swagger versions prior to 1.3.1.

Action Taken

The bundled assets were updated to known-good versions.

The patch resolving the vulnerability is available in laminas-api-tools/api-tools-documentation-swagger 1.3.1.

We highly recommend all users of the package to update immediately.

Acknowledgments

The Laminas Project thanks the following for identifying the issues and working with us to help protect its users:

  • Kristijonas Bulzgis for advising us of the vulnerability.
  • Michał Bundyra for developing the patch.

Released 2020-04-01

Back to advisories

Have you identified a security vulnerability?

Please report it to us at security@getlaminas.org