ZF2019-01: Information disclosure in zend-developer-tools
The package zendframework/zend-developer-tools provides a web-based toolbar for introspecting an application. When updating the package to support PHP 7.3, a change was made that could potentially prevent toolbar entries that are enabled by default from being disabled.
Affected versions
- zendframework/zend-developer-tools 1.2.2
Action Taken
A test was added to the package to verify that only whitelisted entries should be aggregated when configuring the toolbar, and the code updated to comply.
The patch resolving the vulnerability is available in zend-developer-tools 1.2.3.
We highly recommend all users of the package to update immediately.
Acknowledgments
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Marc Schulthess for advising us of the vulnerability.
