Search criteria
81 vulnerabilities found for zend_framework by zend
FKIE_CVE-2020-29312
Vulnerability from fkie_nvd - Published: 2023-04-04 15:15 - Updated: 2025-02-18 17:15
Severity ?
Summary
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE98955F-D65E-4675-A060-942DD2CC6CC5",
"versionEndIncluding": "3.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020."
}
],
"id": "CVE-2020-29312",
"lastModified": "2025-02-18T17:15:11.653",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-04T15:15:08.457",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://zend.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/zendframework/zendframework"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://zend.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/zendframework/zendframework"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-3007
Vulnerability from fkie_nvd - Published: 2021-01-04 03:15 - Updated: 2024-11-21 06:20
Severity ?
Summary
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getlaminas | laminas-http | * | |
| zend | zend_framework | 3.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getlaminas:laminas-http:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2E99556-4806-4485-B0BF-8C0069221705",
"versionEndExcluding": "2.14.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E62B6FB7-619D-4CA0-BC7A-081DC506D311",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Laminas Project laminas-http versi\u00f3n anterior a 2.14.2, y Zend Framework versi\u00f3n 3.0.0, tiene una vulnerabilidad de deserializaci\u00f3n que puede llevar a la ejecuci\u00f3n remota de c\u00f3digo si el contenido es controlable, relacionado con el m\u00e9todo __destructura de la clase Zend\\Http\\Response\\Stream en Stream.php. NOTA: Zend Framework ya no est\u00e1 soportado por el mantenedor. NOTA: el proveedor de laminas-http considera esto como una \"vulnerabilidad en el propio lenguaje PHP\" pero ha a\u00f1adido cierto tipo de chequeo como una forma de prevenir la explotaci\u00f3n en casos de uso (no recomendado) donde los datos suministrados por el atacante pueden ser deserializados"
}
],
"id": "CVE-2021-3007",
"lastModified": "2024-11-21T06:20:44.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-04T03:15:13.527",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-8089
Vulnerability from fkie_nvd - Published: 2020-02-17 22:15 - Updated: 2024-11-21 02:18
Severity ?
Summary
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://framework.zend.com/security/advisory/ZF2014-06 | Exploit, Vendor Advisory | |
| cve@mitre.org | http://seclists.org/oss-sec/2014/q4/276 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/70011 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=1151277 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://framework.zend.com/security/advisory/ZF2014-06 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/oss-sec/2014/q4/276 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/70011 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1151277 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | * | |
| zend | zend_framework | * | |
| zend | zend_framework | * | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| fedoraproject | fedora | 19 | |
| fedoraproject | fedora | 20 | |
| fedoraproject | fedora | 21 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B4F7467-35BE-4334-8252-884C2147CA25",
"versionEndExcluding": "1.12.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F466E328-5176-457D-B646-ED804E96BDBD",
"versionEndExcluding": "2.2.8",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F1C6B34-A116-46B2-B3C0-AE47F4A3DA55",
"versionEndExcluding": "2.3.3",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
"matchCriteriaId": "5991814D-CA77-4C25-90D2-DB542B17E0AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
"matchCriteriaId": "FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en Zend Framework versiones anteriores a 1.12.9, versiones 2.2.x anteriores a 2.2.8 y versiones 2.3.x anteriores a 2.3.3, cuando se usa la extensi\u00f3n PHP sqlsrv, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de un byte null."
}
],
"id": "CVE-2014-8089",
"lastModified": "2024-11-21T02:18:31.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-17T22:15:11.593",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-3154
Vulnerability from fkie_nvd - Published: 2020-01-27 16:15 - Updated: 2024-11-21 02:28
Severity ?
Summary
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://framework.zend.com/security/advisory/ZF2015-04 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://framework.zend.com/security/advisory/ZF2015-04 | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | * | |
| zend | zend_framework | * | |
| zend | zend_framework | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EC26DF5-0C36-47B9-A42C-563254068FE2",
"versionEndExcluding": "1.12.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E14D72D-4775-4018-8BB5-1C1997FC3552",
"versionEndExcluding": "2.3.8",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F1035005-3678-4FFC-95CC-F1B2B35B4CDD",
"versionEndExcluding": "2.4.1",
"versionStartIncluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n de tipo CRLF en Zend\\Mail (Zend_Mail) en Zend Framework versiones anteriores a 1.12.12, versiones 2.x anteriores a 2.3.8 y versiones 2.4.x anteriores a 2.4.1, permite a atacantes remotos inyectar encabezados HTTP arbitrarios y realizar ataques de divisi\u00f3n de respuesta HTTP por medio de secuencias de tipo CRLF en el encabezado de un correo electr\u00f3nico."
}
],
"id": "CVE-2015-3154",
"lastModified": "2024-11-21T02:28:47.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-27T16:15:11.063",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2012-4451
Vulnerability from fkie_nvd - Published: 2020-01-03 17:15 - Updated: 2024-11-21 01:42
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | * | |
| fedoraproject | fedora | 16 | |
| fedoraproject | fedora | 17 | |
| redhat | enterprise_linux | 6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8AFA88C3-5613-4261-8FEC-B9914C0187BF",
"versionEndExcluding": "2.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*",
"matchCriteriaId": "706C6399-CAD1-46E3-87A2-8DFE2CF497ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*",
"matchCriteriaId": "2DA9D861-3EAF-42F5-B0B6-A4CD7BDD6188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en Zend Framework versiones 2.0.x anteriores a la versi\u00f3n 2.0.1, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de una entrada no especificada en (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, o (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, relacionado con Escaper."
}
],
"id": "CVE-2012-4451",
"lastModified": "2024-11-21T01:42:55.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-03T17:15:11.053",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/55636"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/55636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-4913
Vulnerability from fkie_nvd - Published: 2019-12-15 22:15 - Updated: 2024-11-21 02:11
Severity ?
Summary
ZF2014-03 has a potential cross site scripting vector in multiple view helpers
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | * | |
| zend | zend_framework | * | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "791B1B74-D95F-4A70-9002-28A4A4BBC2FC",
"versionEndExcluding": "2.2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40E6682C-9A84-442C-B8AD-6560117A5D8B",
"versionEndExcluding": "2.3.1",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
},
{
"lang": "es",
"value": "ZF2014-03, tiene un vector potencial de tipo cross site scripting en m\u00faltiples asistentes de vista."
}
],
"id": "CVE-2014-4913",
"lastModified": "2024-11-21T02:11:06.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-15T22:15:11.933",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2011-1939
Vulnerability from fkie_nvd - Published: 2019-11-26 22:15 - Updated: 2024-11-21 01:27
Severity ?
Summary
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | * | |
| zend | zend_framework | * | |
| php | php | * | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5191A23-BD5C-49FB-B76E-24BF59BE6E19",
"versionEndExcluding": "1.10.9",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5D309B4-171B-440F-9F85-E9F2F4C9F9AF",
"versionEndExcluding": "1.11.6",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAC569B2-A261-4D43-B677-F566568D42E9",
"versionEndExcluding": "5.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en Zend Framework versiones 1.10.x anteriores a la versi\u00f3n 1.10.9 y versiones 1.11.x anteriores a la versi\u00f3n 1.11.6, cuando son utilizadas codificaciones no compatibles con ASCII junto con PDO_MySql en PHP versiones anteriores a la versi\u00f3n 5.3.6."
}
],
"id": "CVE-2011-1939",
"lastModified": "2024-11-21T01:27:21.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T22:15:14.133",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bugs.php.net/bug.php?id=47802"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bugs.php.net/bug.php?id=47802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-4914
Vulnerability from fkie_nvd - Published: 2017-12-29 14:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | * | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4858D4E2-3CBC-4E8E-AF6C-1691FE93A2C4",
"versionEndExcluding": "1.12.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La funci\u00f3n Zend_Db_Select::order en Zend Framework, en versiones anteriores a la 1.12.7, no gestiona correctamente los par\u00e9ntesis. Esto permite que atacantes remotos lleven a cabo ataques de inyecci\u00f3n SQL mediante vectores sin especificar."
}
],
"id": "CVE-2014-4914",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-29T14:29:00.220",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/58847"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/58847"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-7503
Vulnerability from fkie_nvd - Published: 2017-10-10 16:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1283137 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://framework.zend.com/security/advisory/ZF2015-10 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1283137 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://framework.zend.com/security/advisory/ZF2015-10 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | 2.4.0 | |
| zend | zend_framework | 2.4.1 | |
| zend | zend_framework | 2.4.2 | |
| zend | zend_framework | 2.4.3 | |
| zend | zend_framework | 2.4.4 | |
| zend | zend_framework | 2.4.5 | |
| zend | zend_framework | 2.4.6 | |
| zend | zend_framework | 2.4.7 | |
| zend | zend_framework | 2.4.8 | |
| zend | zend_framework | 2.5.0 | |
| zend | zend_framework | 2.5.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8CE2C2D7-D937-427B-9690-B1EA32314042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "98145CC7-4F7E-40B2-BDD3-08AF81634AF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "35909C93-F7B3-4072-9FB7-E806AFDB585C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F8AFDDAC-A697-4F0C-9C1B-507A85DF8473",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1F724D0C-0A0D-48A0-AE0B-A9645062AEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0BC1E6B1-1456-419E-9711-10EAD142FE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5CAF7D7C-EB8C-4EF7-BBAE-4D7E86FD8F2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6BBE4F-3EC6-415E-92DF-5663DD54D489",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "DA57B38C-E022-4C07-99DA-9C6824FB42C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CF6A3D-A182-4800-89FA-44BC4ACD7291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FCDA71DB-7D92-47EC-A706-2A61ACDC7CEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key."
},
{
"lang": "es",
"value": "Zend Framework en versiones anteriores a la 2.4.9, zend-framework/zend-crypt en versiones 2.4.x anteriores a la 2.4.9 y 2.5.x anteriores a la 2.5.2 permite que atacantes remotos recuperen la clave privada RSA."
}
],
"id": "CVE-2015-7503",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-10T16:29:00.480",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-320"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-1555
Vulnerability from fkie_nvd - Published: 2017-08-07 17:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zend | zend_framework | 2.2.0 | |
| zend | zend_framework | 2.2.1 | |
| zend | zend_framework | 2.2.2 | |
| zend | zend_framework | 2.2.3 | |
| zend | zend_framework | 2.2.4 | |
| zend | zend_framework | 2.2.5 | |
| zend | zend_framework | 2.2.6 | |
| zend | zend_framework | 2.2.7 | |
| zend | zend_framework | 2.2.8 | |
| zend | zend_framework | 2.3.0 | |
| zend | zend_framework | 2.3.1 | |
| zend | zend_framework | 2.3.2 | |
| zend | zend_framework | 2.3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D51607-3FA8-4E30-8B02-004F056583E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "90A9D6B0-D34B-423A-AB7D-D6B14F3F1FA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E258FDD6-AF80-4166-A3C0-BC41EAFD894C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2B537EBA-396D-4C52-A65D-CD26E59EE44A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "80CD59F7-E5F7-4146-A422-79C652121D39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0F760DAF-39EE-400E-BEF4-B6816080538A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CB89CEA-8DC2-4DD2-8A41-BD944261E1CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "C85F6A88-33E7-4C71-B52B-99D13CD23F3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "75E530D7-6033-4151-AEF6-F7A0E3CC86CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "58B32A65-119C-45EF-8122-EBFCA41A1696",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32E9E662-1642-49D6-9908-9BD4DE479114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0ACBA96F-C081-4B66-BC4B-C456FA688EA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zend:zend_framework:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "23C2DD7D-3CB8-4E69-9B4D-B0A4552A1177",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
},
{
"lang": "es",
"value": "Zend/Session/SessionManager en Zend Framework 2.2.x en versiones anteriores a 2.2.9, 2.3.x en versiones anteriores a 2.3.4 permite que atacantes remotos creen sesiones v\u00e1lidas sin emplear validadores de sesi\u00f3n."
}
],
"id": "CVE-2015-1555",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T17:29:00.347",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-29312 (GCVE-0-2020-29312)
Vulnerability from cvelistv5 – Published: 2023-04-04 00:00 – Updated: 2025-02-18 17:08
VLAI?
Summary
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://zend.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zendframework/zendframework"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-29312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T17:26:52.717518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:08:59.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T21:37:07.002Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://zend.com"
},
{
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"url": "https://github.com/zendframework/zendframework"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29312",
"datePublished": "2023-04-04T00:00:00.000Z",
"dateReserved": "2020-11-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T17:08:59.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3007 (GCVE-0-2021-3007)
Vulnerability from cvelistv5 – Published: 2021-01-04 02:26 – Updated: 2024-08-03 16:45
VLAI?
Summary
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:50.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T16:08:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3007",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md",
"refsource": "MISC",
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"name": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"name": "https://github.com/laminas/laminas-http/pull/48",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"name": "https://github.com/laminas/laminas-http/releases/tag/2.14.2",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"name": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3007",
"datePublished": "2021-01-04T02:26:45",
"dateReserved": "2021-01-04T00:00:00",
"dateUpdated": "2024-08-03T16:45:50.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8089 (GCVE-0-2014-8089)
Vulnerability from cvelistv5 – Published: 2020-02-17 21:39 – Updated: 2024-08-06 13:10
VLAI?
Summary
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T21:39:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "70011",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70011"
},
{
"name": "http://seclists.org/oss-sec/2014/q4/276",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2014-06",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8089",
"datePublished": "2020-02-17T21:39:04",
"dateReserved": "2014-10-10T00:00:00",
"dateUpdated": "2024-08-06T13:10:50.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3154 (GCVE-0-2015-3154)
Vulnerability from cvelistv5 – Published: 2020-01-27 15:02 – Updated: 2024-08-06 05:39
VLAI?
Summary
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
Severity ?
No CVSS data available.
CWE
- CRLF Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
before 1.12.12
Affected: 2.x before 2.3.8 Affected: 2.4.x before 2.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "before 1.12.12"
},
{
"status": "affected",
"version": "2.x before 2.3.8"
},
{
"status": "affected",
"version": "2.4.x before 2.4.1"
}
]
}
],
"datePublic": "2015-05-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CRLF Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-27T15:02:12",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "before 1.12.12"
},
{
"version_value": "2.x before 2.3.8"
},
{
"version_value": "2.4.x before 2.4.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CRLF Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-04",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3154",
"datePublished": "2020-01-27T15:02:12",
"dateReserved": "2015-04-10T00:00:00",
"dateUpdated": "2024-08-06T05:39:31.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4451 (GCVE-0-2012-4451)
Vulnerability from cvelistv5 – Published: 2020-01-03 16:03 – Updated: 2024-08-06 20:35
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
2.0.x before 2.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "2.0.x before 2.0.1"
}
]
}
],
"datePublic": "2012-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-03T16:03:03",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "2.0.x before 2.0.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=436210",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/571",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/573",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2012-03",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=860738",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"name": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733",
"refsource": "MISC",
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"name": "http://www.securityfocus.com/bid/55636",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55636"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4451",
"datePublished": "2020-01-03T16:03:03",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:35:09.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4913 (GCVE-0-2014-4913)
Vulnerability from cvelistv5 – Published: 2019-12-15 21:24 – Updated: 2024-08-06 11:34
VLAI?
Summary
ZF2014-03 has a potential cross site scripting vector in multiple view helpers
Severity ?
No CVSS data available.
CWE
- Potential XSS vector in multiple view helpers
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zendframework | zendframework |
Affected:
Fixed: Zend Framework 2.2.7
Affected: Zend Framework 2.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework",
"versions": [
{
"status": "affected",
"version": "Fixed: Zend Framework 2.2.7"
},
{
"status": "affected",
"version": "Zend Framework 2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Potential XSS vector in multiple view helpers",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-15T21:24:36",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-4913",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zendframework",
"version": {
"version_data": [
{
"version_value": "Fixed: Zend Framework 2.2.7"
},
{
"version_value": "Zend Framework 2.3.1"
}
]
}
}
]
},
"vendor_name": "zendframework"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Potential XSS vector in multiple view helpers"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2014-4913",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"name": "https://access.redhat.com/security/cve/cve-2014-4913",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/07/11/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "http://www.securityfocus.com/bid/66971",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/66971"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2014-03",
"refsource": "MISC",
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4913",
"datePublished": "2019-12-15T21:24:36",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:34:36.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-1939 (GCVE-0-2011-1939)
Vulnerability from cvelistv5 – Published: 2019-11-26 21:17 – Updated: 2024-08-06 22:46
VLAI?
Summary
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
Severity ?
No CVSS data available.
CWE
- potential SQL injection vector when using PDO_MySql (ZF2011-02)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| zendframework;PHP | zendframework |
Affected:
1.10.x before 1.10.9
Affected: 1.11.x before 1.11.6 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:46:00.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "1.10.x before 1.10.9"
},
{
"status": "affected",
"version": "1.11.x before 1.11.6"
}
]
},
{
"product": "PHP",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "before 5.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "potential SQL injection vector when using PDO_MySql (ZF2011-02)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-26T21:17:37",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1939",
"datePublished": "2019-11-26T21:17:37",
"dateReserved": "2011-05-09T00:00:00",
"dateUpdated": "2024-08-06T22:46:00.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4914 (GCVE-0-2014-4914)
Vulnerability from cvelistv5 – Published: 2017-12-29 14:00 – Updated: 2024-08-06 11:34
VLAI?
Summary
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-30T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4914",
"datePublished": "2017-12-29T14:00:00",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:34:36.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7503 (GCVE-0-2015-7503)
Vulnerability from cvelistv5 – Published: 2017-10-10 16:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7503",
"datePublished": "2017-10-10T16:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1555 (GCVE-0-2015-1555)
Vulnerability from cvelistv5 – Published: 2017-08-07 17:00 – Updated: 2024-08-06 04:47
VLAI?
Summary
Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:16.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-01",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1555",
"datePublished": "2017-08-07T17:00:00",
"dateReserved": "2015-02-07T00:00:00",
"dateUpdated": "2024-08-06T04:47:16.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29312 (GCVE-0-2020-29312)
Vulnerability from nvd – Published: 2023-04-04 00:00 – Updated: 2025-02-18 17:08
VLAI?
Summary
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://zend.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zendframework/zendframework"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-29312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T17:26:52.717518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:08:59.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T21:37:07.002Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://zend.com"
},
{
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"url": "https://github.com/zendframework/zendframework"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29312",
"datePublished": "2023-04-04T00:00:00.000Z",
"dateReserved": "2020-11-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T17:08:59.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3007 (GCVE-0-2021-3007)
Vulnerability from nvd – Published: 2021-01-04 02:26 – Updated: 2024-08-03 16:45
VLAI?
Summary
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:50.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T16:08:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3007",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md",
"refsource": "MISC",
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"name": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"name": "https://github.com/laminas/laminas-http/pull/48",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"name": "https://github.com/laminas/laminas-http/releases/tag/2.14.2",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"name": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3007",
"datePublished": "2021-01-04T02:26:45",
"dateReserved": "2021-01-04T00:00:00",
"dateUpdated": "2024-08-03T16:45:50.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8089 (GCVE-0-2014-8089)
Vulnerability from nvd – Published: 2020-02-17 21:39 – Updated: 2024-08-06 13:10
VLAI?
Summary
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T21:39:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "70011",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70011"
},
{
"name": "http://seclists.org/oss-sec/2014/q4/276",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2014-06",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8089",
"datePublished": "2020-02-17T21:39:04",
"dateReserved": "2014-10-10T00:00:00",
"dateUpdated": "2024-08-06T13:10:50.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3154 (GCVE-0-2015-3154)
Vulnerability from nvd – Published: 2020-01-27 15:02 – Updated: 2024-08-06 05:39
VLAI?
Summary
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
Severity ?
No CVSS data available.
CWE
- CRLF Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
before 1.12.12
Affected: 2.x before 2.3.8 Affected: 2.4.x before 2.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "before 1.12.12"
},
{
"status": "affected",
"version": "2.x before 2.3.8"
},
{
"status": "affected",
"version": "2.4.x before 2.4.1"
}
]
}
],
"datePublic": "2015-05-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CRLF Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-27T15:02:12",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "before 1.12.12"
},
{
"version_value": "2.x before 2.3.8"
},
{
"version_value": "2.4.x before 2.4.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CRLF Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-04",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3154",
"datePublished": "2020-01-27T15:02:12",
"dateReserved": "2015-04-10T00:00:00",
"dateUpdated": "2024-08-06T05:39:31.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4451 (GCVE-0-2012-4451)
Vulnerability from nvd – Published: 2020-01-03 16:03 – Updated: 2024-08-06 20:35
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
2.0.x before 2.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "2.0.x before 2.0.1"
}
]
}
],
"datePublic": "2012-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-03T16:03:03",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "2.0.x before 2.0.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=436210",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/571",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/573",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2012-03",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=860738",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"name": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733",
"refsource": "MISC",
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"name": "http://www.securityfocus.com/bid/55636",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55636"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4451",
"datePublished": "2020-01-03T16:03:03",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:35:09.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4913 (GCVE-0-2014-4913)
Vulnerability from nvd – Published: 2019-12-15 21:24 – Updated: 2024-08-06 11:34
VLAI?
Summary
ZF2014-03 has a potential cross site scripting vector in multiple view helpers
Severity ?
No CVSS data available.
CWE
- Potential XSS vector in multiple view helpers
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zendframework | zendframework |
Affected:
Fixed: Zend Framework 2.2.7
Affected: Zend Framework 2.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework",
"versions": [
{
"status": "affected",
"version": "Fixed: Zend Framework 2.2.7"
},
{
"status": "affected",
"version": "Zend Framework 2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Potential XSS vector in multiple view helpers",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-15T21:24:36",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-4913",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zendframework",
"version": {
"version_data": [
{
"version_value": "Fixed: Zend Framework 2.2.7"
},
{
"version_value": "Zend Framework 2.3.1"
}
]
}
}
]
},
"vendor_name": "zendframework"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Potential XSS vector in multiple view helpers"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2014-4913",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"name": "https://access.redhat.com/security/cve/cve-2014-4913",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/07/11/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "http://www.securityfocus.com/bid/66971",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/66971"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2014-03",
"refsource": "MISC",
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4913",
"datePublished": "2019-12-15T21:24:36",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:34:36.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-1939 (GCVE-0-2011-1939)
Vulnerability from nvd – Published: 2019-11-26 21:17 – Updated: 2024-08-06 22:46
VLAI?
Summary
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
Severity ?
No CVSS data available.
CWE
- potential SQL injection vector when using PDO_MySql (ZF2011-02)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| zendframework;PHP | zendframework |
Affected:
1.10.x before 1.10.9
Affected: 1.11.x before 1.11.6 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:46:00.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "1.10.x before 1.10.9"
},
{
"status": "affected",
"version": "1.11.x before 1.11.6"
}
]
},
{
"product": "PHP",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "before 5.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "potential SQL injection vector when using PDO_MySql (ZF2011-02)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-26T21:17:37",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1939",
"datePublished": "2019-11-26T21:17:37",
"dateReserved": "2011-05-09T00:00:00",
"dateUpdated": "2024-08-06T22:46:00.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4914 (GCVE-0-2014-4914)
Vulnerability from nvd – Published: 2017-12-29 14:00 – Updated: 2024-08-06 11:34
VLAI?
Summary
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-30T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4914",
"datePublished": "2017-12-29T14:00:00",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:34:36.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7503 (GCVE-0-2015-7503)
Vulnerability from nvd – Published: 2017-10-10 16:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7503",
"datePublished": "2017-10-10T16:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1555 (GCVE-0-2015-1555)
Vulnerability from nvd – Published: 2017-08-07 17:00 – Updated: 2024-08-06 04:47
VLAI?
Summary
Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:16.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-01",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1555",
"datePublished": "2017-08-07T17:00:00",
"dateReserved": "2015-02-07T00:00:00",
"dateUpdated": "2024-08-06T04:47:16.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}