Impact
If an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim.
The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path.
Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected.
Patches
The issue is fixed in 4.15.2.
Workarounds
Without upgrading, applications can:
- Avoid passing untrusted/request-derived data into
HttpException::setTitle() and setDescription(). Use static, plain-text error copy instead.
- Register a custom error renderer (an
ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
Acknowledgments
Slim is grateful to and thanks GitHub user 0xEr3n for reporting this issue.
Resources
References
Impact
If an application uses
HttpException::setTitle()and/orsetDescription()to include untrusted/request-derived data in the error title or description (e.g."No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim.The vulnerability is present even with
displayErrorDetails = falseas the unescaped title and description are rendered on this error path.Built-in exceptions (
HttpNotFoundException,HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data intosetTitle()and/orsetDescription()are affected.Patches
The issue is fixed in 4.15.2.
Workarounds
Without upgrading, applications can:
HttpException::setTitle()andsetDescription(). Use static, plain-text error copy instead.ErrorRendererInterfaceimplementation, or a subclass ofHtmlErrorRendererthat escapes the title and description) for the HTML media type.Acknowledgments
Slim is grateful to and thanks GitHub user 0xEr3n for reporting this issue.
Resources
References