====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN033
_____________________________________________________________________

DATE                : 20/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running
laminas-api-tools/api-tools-documentation-swagger versions prior to 1.3.1.

=====================================================================
https://getlaminas.org/security/advisory/LP-2020-02
_____________________________________________________________________

LP-2020-02: XSS and RCE vectors in
laminas-api-tools/api-tools-documentation-swagger

The package laminas-api-tools/api-tools-documentation-swagger bundles a
number of javascript assets for purposes of providing API documentation.
Some of these assets had reported XSS (cross-site scripting) and RCE
(remote code execution) vulnerabilities:

    jQuery: CVE-2015-9251 (XSS)
    Handlebars: CVE-2019-19919 (RCE)


Affected versions

    laminas-api-tools/api-tools-documentation-swagger versions prior to
      1.3.1.


Action Taken

The bundled assets were updated to known-good versions.

The patch resolving the vulnerability is available in
laminas-api-tools/api-tools-documentation-swagger 1.3.1.

We highly recommend all users of the package to update immediately.


Acknowledgments

The Laminas Project thanks the following for identifying the issues and
working with us to help protect its users:

    Kristijonas Bulzgis for advising us of the vulnerability.
    Michał Bundyra for developing the patch.

Released 2020-04-01


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================