Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
54 vulnerabilities found for zend_framework by zend
CVE-2020-29312 (GCVE-0-2020-29312)
Vulnerability from cvelistv5 – Published: 2023-04-04 00:00 – Updated: 2025-02-18 17:08 Disputed
VLAI
Summary
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://zend.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zendframework/zendframework"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-29312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T17:26:52.717518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:08:59.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T21:37:07.002Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://zend.com"
},
{
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"url": "https://github.com/zendframework/zendframework"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29312",
"datePublished": "2023-04-04T00:00:00.000Z",
"dateReserved": "2020-11-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T17:08:59.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3007 (GCVE-0-2021-3007)
Vulnerability from cvelistv5 – Published: 2021-01-04 02:26 – Updated: 2024-08-03 16:45 Disputed
VLAI
Summary
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/Ling-Yizhou/zendframework3-/bl… | x_refsource_MISC |
| https://github.com/laminas/laminas-http/commits/2… | x_refsource_MISC |
| https://github.com/laminas/laminas-http/pull/48 | x_refsource_MISC |
| https://github.com/laminas/laminas-http/releases/… | x_refsource_MISC |
| https://research.checkpoint.com/2021/freakout-lev… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:50.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T16:08:20.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3007",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md",
"refsource": "MISC",
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"name": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"name": "https://github.com/laminas/laminas-http/pull/48",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"name": "https://github.com/laminas/laminas-http/releases/tag/2.14.2",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"name": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3007",
"datePublished": "2021-01-04T02:26:45.000Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T16:45:50.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8089 (GCVE-0-2014-8089)
Vulnerability from cvelistv5 – Published: 2020-02-17 21:39 – Updated: 2024-08-06 13:10
VLAI
Summary
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/70011 | vdb-entryx_refsource_BID |
| http://seclists.org/oss-sec/2014/q4/276 | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=1151277 | x_refsource_MISC |
| http://framework.zend.com/security/advisory/ZF2014-06 | x_refsource_MISC |
Date Public
2014-10-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T21:39:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "70011",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70011"
},
{
"name": "http://seclists.org/oss-sec/2014/q4/276",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2014-06",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8089",
"datePublished": "2020-02-17T21:39:04.000Z",
"dateReserved": "2014-10-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T13:10:50.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3154 (GCVE-0-2015-3154)
Vulnerability from cvelistv5 – Published: 2020-01-27 15:02 – Updated: 2024-08-06 05:39
VLAI
Summary
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
Severity
No CVSS data available.
CWE
- CRLF Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| http://framework.zend.com/security/advisory/ZF2015-04 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
before 1.12.12
Affected: 2.x before 2.3.8 Affected: 2.4.x before 2.4.1 |
Date Public
2015-05-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "before 1.12.12"
},
{
"status": "affected",
"version": "2.x before 2.3.8"
},
{
"status": "affected",
"version": "2.4.x before 2.4.1"
}
]
}
],
"datePublic": "2015-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CRLF Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-27T15:02:12.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "before 1.12.12"
},
{
"version_value": "2.x before 2.3.8"
},
{
"version_value": "2.4.x before 2.4.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CRLF Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-04",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3154",
"datePublished": "2020-01-27T15:02:12.000Z",
"dateReserved": "2015-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T05:39:31.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4451 (GCVE-0-2012-4451)
Vulnerability from cvelistv5 – Published: 2020-01-03 16:03 – Updated: 2024-08-06 20:35
VLAI
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.
Severity
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug… | x_refsource_MISC |
| https://bugs.gentoo.org/show_bug.cgi?id=436210 | x_refsource_MISC |
| http://seclists.org/oss-sec/2012/q3/571 | x_refsource_MISC |
| http://seclists.org/oss-sec/2012/q3/573 | x_refsource_MISC |
| http://framework.zend.com/security/advisory/ZF2012-03 | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=860738 | x_refsource_MISC |
| https://github.com/zendframework/zf2/commit/27131… | x_refsource_MISC |
| http://www.securityfocus.com/bid/55636 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
2.0.x before 2.0.1
|
Date Public
2012-09-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "2.0.x before 2.0.1"
}
]
}
],
"datePublic": "2012-09-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-03T16:03:03.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "2.0.x before 2.0.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=436210",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/571",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/573",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2012-03",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=860738",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"name": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733",
"refsource": "MISC",
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"name": "http://www.securityfocus.com/bid/55636",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55636"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4451",
"datePublished": "2020-01-03T16:03:03.000Z",
"dateReserved": "2012-08-21T00:00:00.000Z",
"dateUpdated": "2024-08-06T20:35:09.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4913 (GCVE-0-2014-4913)
Vulnerability from cvelistv5 – Published: 2019-12-15 21:24 – Updated: 2024-08-06 11:34
VLAI
Summary
ZF2014-03 has a potential cross site scripting vector in multiple view helpers
Severity
No CVSS data available.
CWE
- Potential XSS vector in multiple view helpers
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://security-tracker.debian.org/tracker/CVE-2… | x_refsource_MISC |
| https://access.redhat.com/security/cve/cve-2014-4913 | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2014/07/11/4 | x_refsource_MISC |
| http://www.securityfocus.com/bid/66971 | x_refsource_MISC |
| https://framework.zend.com/security/advisory/ZF2014-03 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zendframework | zendframework |
Affected:
Fixed: Zend Framework 2.2.7
Affected: Zend Framework 2.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework",
"versions": [
{
"status": "affected",
"version": "Fixed: Zend Framework 2.2.7"
},
{
"status": "affected",
"version": "Zend Framework 2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Potential XSS vector in multiple view helpers",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-15T21:24:36.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-4913",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zendframework",
"version": {
"version_data": [
{
"version_value": "Fixed: Zend Framework 2.2.7"
},
{
"version_value": "Zend Framework 2.3.1"
}
]
}
}
]
},
"vendor_name": "zendframework"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Potential XSS vector in multiple view helpers"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2014-4913",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"name": "https://access.redhat.com/security/cve/cve-2014-4913",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/07/11/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "http://www.securityfocus.com/bid/66971",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/66971"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2014-03",
"refsource": "MISC",
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4913",
"datePublished": "2019-12-15T21:24:36.000Z",
"dateReserved": "2014-07-11T00:00:00.000Z",
"dateUpdated": "2024-08-06T11:34:36.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-1939 (GCVE-0-2011-1939)
Vulnerability from cvelistv5 – Published: 2019-11-26 21:17 – Updated: 2024-08-06 22:46
VLAI
Summary
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
Severity
No CVSS data available.
CWE
- potential SQL injection vector when using PDO_MySql (ZF2011-02)
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/47919 | vdb-entryx_refsource_BID |
| https://security-tracker.debian.org/tracker/CVE-2… | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_MISC |
| https://access.redhat.com/security/cve/cve-2011-1939 | x_refsource_MISC |
| http://security.gentoo.org/glsa/glsa-201408-01.xml | x_refsource_MISC |
| https://framework.zend.com/security/advisory/ZF2011-02 | x_refsource_CONFIRM |
| https://bugs.php.net/bug.php?id=47802 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| zendframework;PHP | zendframework |
Affected:
1.10.x before 1.10.9
Affected: 1.11.x before 1.11.6 |
|
| zendframework;PHP | PHP |
Affected:
before 5.3.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:46:00.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "1.10.x before 1.10.9"
},
{
"status": "affected",
"version": "1.11.x before 1.11.6"
}
]
},
{
"product": "PHP",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "before 5.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "potential SQL injection vector when using PDO_MySql (ZF2011-02)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-26T21:17:37.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1939",
"datePublished": "2019-11-26T21:17:37.000Z",
"dateReserved": "2011-05-09T00:00:00.000Z",
"dateUpdated": "2024-08-06T22:46:00.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4914 (GCVE-0-2014-4914)
Vulnerability from cvelistv5 – Published: 2017-12-29 14:00 – Updated: 2024-08-06 11:34
VLAI
Summary
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| http://secunia.com/advisories/58847 | third-party-advisoryx_refsource_SECUNIA |
| http://openwall.com/lists/oss-security/2014/07/11/4 | mailing-listx_refsource_MLIST |
| http://jvn.jp/en/jp/JVN71730320/index.html | third-party-advisoryx_refsource_JVN |
| http://www.securityfocus.com/bid/68031 | vdb-entryx_refsource_BID |
| http://framework.zend.com/security/advisory/ZF2014-04 | x_refsource_CONFIRM |
| https://www.debian.org/security/2015/dsa-3265 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2014-06-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-30T10:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4914",
"datePublished": "2017-12-29T14:00:00.000Z",
"dateReserved": "2014-07-11T00:00:00.000Z",
"dateUpdated": "2024-08-06T11:34:36.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7503 (GCVE-0-2015-7503)
Vulnerability from cvelistv5 – Published: 2017-10-10 16:00 – Updated: 2024-08-06 07:51
VLAI
Summary
Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://framework.zend.com/security/advisory/ZF2015-10 | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=1283137 | x_refsource_CONFIRM |
Date Public
2015-11-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T15:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7503",
"datePublished": "2017-10-10T16:00:00.000Z",
"dateReserved": "2015-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:51:28.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1555 (GCVE-0-2015-1555)
Vulnerability from cvelistv5 – Published: 2017-08-07 17:00 – Updated: 2024-08-06 04:47
VLAI
Summary
Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| http://framework.zend.com/security/advisory/ZF2015-01 | x_refsource_CONFIRM |
Date Public
2015-01-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:16.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-01",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1555",
"datePublished": "2017-08-07T17:00:00.000Z",
"dateReserved": "2015-02-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:47:16.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1786 (GCVE-0-2015-1786)
Vulnerability from cvelistv5 – Published: 2017-06-08 21:00 – Updated: 2024-08-06 04:54
VLAI
Summary
Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://framework.zend.com/changelog/2.3.6 | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=1207781 | x_refsource_CONFIRM |
Date Public
2015-03-31 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:54:16.104Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/changelog/2.3.6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-03-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-08T20:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/changelog/2.3.6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://framework.zend.com/changelog/2.3.6",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/changelog/2.3.6"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1786",
"datePublished": "2017-06-08T21:00:00.000Z",
"dateReserved": "2015-02-17T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:54:16.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4861 (GCVE-0-2016-4861)
Vulnerability from cvelistv5 – Published: 2017-02-16 18:00 – Updated: 2024-08-06 00:46
VLAI
Summary
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.gentoo.org/glsa/201804-10 | vendor-advisoryx_refsource_GENTOO |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.debian.org/debian-lts-announce/2018… | mailing-listx_refsource_MLIST |
| https://framework.zend.com/security/advisory/ZF2016-03 | x_refsource_CONFIRM |
| http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158 | third-party-advisoryx_refsource_JVNDB |
| http://jvn.jp/en/jp/JVN18926672/index.html | third-party-advisoryx_refsource_JVN |
Date Public
2016-09-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:46:38.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "[debian-lts-announce] 20180628 [SECURITY] [DLA 1403-1] zendframework security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-03"
},
{
"name": "JVNDB-2016-000158",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158"
},
{
"name": "JVN#18926672",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18926672/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-21T09:57:02.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "[debian-lts-announce] 20180628 [SECURITY] [DLA 1403-1] zendframework security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-03"
},
{
"name": "JVNDB-2016-000158",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158"
},
{
"name": "JVN#18926672",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18926672/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2016-4861",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-666d95d1d5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "[debian-lts-announce] 20180628 [SECURITY] [DLA 1403-1] zendframework security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2016-03",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/security/advisory/ZF2016-03"
},
{
"name": "JVNDB-2016-000158",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158"
},
{
"name": "JVN#18926672",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18926672/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2016-4861",
"datePublished": "2017-02-16T18:00:00.000Z",
"dateReserved": "2016-05-17T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:46:38.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6233 (GCVE-0-2016-6233)
Vulnerability from cvelistv5 – Published: 2017-02-16 18:00 – Updated: 2024-08-06 01:22
VLAI
Summary
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.gentoo.org/glsa/201804-10 | vendor-advisoryx_refsource_GENTOO |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://framework.zend.com/security/advisory/ZF2016-02 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/91802 | vdb-entryx_refsource_BID |
Date Public
2016-07-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:22:20.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-02"
},
{
"name": "91802",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91802"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\\w]* in a regular expression."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-21T09:57:02.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-02"
},
{
"name": "91802",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91802"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-6233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\\w]* in a regular expression."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-666d95d1d5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2016-02",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/security/advisory/ZF2016-02"
},
{
"name": "91802",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91802"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-6233",
"datePublished": "2017-02-16T18:00:00.000Z",
"dateReserved": "2016-07-16T00:00:00.000Z",
"dateUpdated": "2024-08-06T01:22:20.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10034 (GCVE-0-2016-10034)
Vulnerability from cvelistv5 – Published: 2016-12-30 19:00 – Updated: 2024-08-06 03:07
VLAI
Summary
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://security.gentoo.org/glsa/201804-10 | vendor-advisoryx_refsource_GENTOO |
| https://www.exploit-db.com/exploits/42221/ | exploitx_refsource_EXPLOIT-DB |
| https://framework.zend.com/security/advisory/ZF2016-04 | x_refsource_CONFIRM |
| https://legalhackers.com/advisories/ZendFramework… | x_refsource_MISC |
| https://www.exploit-db.com/exploits/40979/ | exploitx_refsource_EXPLOIT-DB |
| http://www.securitytracker.com/id/1037539 | vdb-entryx_refsource_SECTRACK |
| https://www.exploit-db.com/exploits/40986/ | exploitx_refsource_EXPLOIT-DB |
| http://www.securityfocus.com/bid/95144 | vdb-entryx_refsource_BID |
Date Public
2016-12-20 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:31.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "42221",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-04"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html"
},
{
"name": "40979",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40979/"
},
{
"name": "1037539",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037539"
},
{
"name": "40986",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "95144",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted e-mail address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-21T09:57:02.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "42221",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-04"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html"
},
{
"name": "40979",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40979/"
},
{
"name": "1037539",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037539"
},
{
"name": "40986",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "95144",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95144"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10034",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted e-mail address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201804-10",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "42221",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2016-04",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/security/advisory/ZF2016-04"
},
{
"name": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html",
"refsource": "MISC",
"url": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html"
},
{
"name": "40979",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40979/"
},
{
"name": "1037539",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037539"
},
{
"name": "40986",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "95144",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95144"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10034",
"datePublished": "2016-12-30T19:00:00.000Z",
"dateReserved": "2016-12-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:07:31.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29312 (GCVE-0-2020-29312)
Vulnerability from nvd – Published: 2023-04-04 00:00 – Updated: 2025-02-18 17:08 Disputed
VLAI
Summary
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://zend.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zendframework/zendframework"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-29312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T17:26:52.717518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:08:59.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T21:37:07.002Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://zend.com"
},
{
"url": "https://cowtransfer.com/s/f9684f004d7149"
},
{
"url": "https://github.com/zendframework/zendframework"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29312",
"datePublished": "2023-04-04T00:00:00.000Z",
"dateReserved": "2020-11-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T17:08:59.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3007 (GCVE-0-2021-3007)
Vulnerability from nvd – Published: 2021-01-04 02:26 – Updated: 2024-08-03 16:45 Disputed
VLAI
Summary
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/Ling-Yizhou/zendframework3-/bl… | x_refsource_MISC |
| https://github.com/laminas/laminas-http/commits/2… | x_refsource_MISC |
| https://github.com/laminas/laminas-http/pull/48 | x_refsource_MISC |
| https://github.com/laminas/laminas-http/releases/… | x_refsource_MISC |
| https://research.checkpoint.com/2021/freakout-lev… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:50.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T16:08:20.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3007",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\\Http\\Response\\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a \"vulnerability in the PHP language itself\" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md",
"refsource": "MISC",
"url": "https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md"
},
{
"name": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php"
},
{
"name": "https://github.com/laminas/laminas-http/pull/48",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/pull/48"
},
{
"name": "https://github.com/laminas/laminas-http/releases/tag/2.14.2",
"refsource": "MISC",
"url": "https://github.com/laminas/laminas-http/releases/tag/2.14.2"
},
{
"name": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3007",
"datePublished": "2021-01-04T02:26:45.000Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T16:45:50.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8089 (GCVE-0-2014-8089)
Vulnerability from nvd – Published: 2020-02-17 21:39 – Updated: 2024-08-06 13:10
VLAI
Summary
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/70011 | vdb-entryx_refsource_BID |
| http://seclists.org/oss-sec/2014/q4/276 | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=1151277 | x_refsource_MISC |
| http://framework.zend.com/security/advisory/ZF2014-06 | x_refsource_MISC |
Date Public
2014-10-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T21:39:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "70011",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70011"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "70011",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70011"
},
{
"name": "http://seclists.org/oss-sec/2014/q4/276",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q4/276"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1151277"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2014-06",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8089",
"datePublished": "2020-02-17T21:39:04.000Z",
"dateReserved": "2014-10-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T13:10:50.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3154 (GCVE-0-2015-3154)
Vulnerability from nvd – Published: 2020-01-27 15:02 – Updated: 2024-08-06 05:39
VLAI
Summary
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
Severity
No CVSS data available.
CWE
- CRLF Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| http://framework.zend.com/security/advisory/ZF2015-04 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
before 1.12.12
Affected: 2.x before 2.3.8 Affected: 2.4.x before 2.4.1 |
Date Public
2015-05-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "before 1.12.12"
},
{
"status": "affected",
"version": "2.x before 2.3.8"
},
{
"status": "affected",
"version": "2.4.x before 2.4.1"
}
]
}
],
"datePublic": "2015-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CRLF Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-27T15:02:12.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "before 1.12.12"
},
{
"version_value": "2.x before 2.3.8"
},
{
"version_value": "2.4.x before 2.4.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CRLF Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-04",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3154",
"datePublished": "2020-01-27T15:02:12.000Z",
"dateReserved": "2015-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T05:39:31.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4451 (GCVE-0-2012-4451)
Vulnerability from nvd – Published: 2020-01-03 16:03 – Updated: 2024-08-06 20:35
VLAI
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.
Severity
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug… | x_refsource_MISC |
| https://bugs.gentoo.org/show_bug.cgi?id=436210 | x_refsource_MISC |
| http://seclists.org/oss-sec/2012/q3/571 | x_refsource_MISC |
| http://seclists.org/oss-sec/2012/q3/573 | x_refsource_MISC |
| http://framework.zend.com/security/advisory/ZF2012-03 | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=860738 | x_refsource_MISC |
| https://github.com/zendframework/zf2/commit/27131… | x_refsource_MISC |
| http://www.securityfocus.com/bid/55636 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zend Technologies | Zend Framework |
Affected:
2.0.x before 2.0.1
|
Date Public
2012-09-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zend Framework",
"vendor": "Zend Technologies",
"versions": [
{
"status": "affected",
"version": "2.0.x before 2.0.1"
}
]
}
],
"datePublic": "2012-09-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-03T16:03:03.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55636"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zend Framework",
"version": {
"version_data": [
{
"version_value": "2.0.x before 2.0.1"
}
]
}
}
]
},
"vendor_name": "Zend Technologies"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\\PubSubHubbub, (3) Log\\Formatter\\Xml, (4) Tag\\Cloud\\Decorator, (5) Uri, (6) View\\Helper\\HeadStyle, (7) View\\Helper\\Navigation\\Sitemap, or (8) View\\Helper\\Placeholder\\Container\\AbstractStandalone, related to Escaper."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=436210",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=436210"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/571",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/571"
},
{
"name": "http://seclists.org/oss-sec/2012/q3/573",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2012/q3/573"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2012-03",
"refsource": "MISC",
"url": "http://framework.zend.com/security/advisory/ZF2012-03"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=860738",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=860738"
},
{
"name": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733",
"refsource": "MISC",
"url": "https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733"
},
{
"name": "http://www.securityfocus.com/bid/55636",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55636"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4451",
"datePublished": "2020-01-03T16:03:03.000Z",
"dateReserved": "2012-08-21T00:00:00.000Z",
"dateUpdated": "2024-08-06T20:35:09.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4913 (GCVE-0-2014-4913)
Vulnerability from nvd – Published: 2019-12-15 21:24 – Updated: 2024-08-06 11:34
VLAI
Summary
ZF2014-03 has a potential cross site scripting vector in multiple view helpers
Severity
No CVSS data available.
CWE
- Potential XSS vector in multiple view helpers
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://security-tracker.debian.org/tracker/CVE-2… | x_refsource_MISC |
| https://access.redhat.com/security/cve/cve-2014-4913 | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2014/07/11/4 | x_refsource_MISC |
| http://www.securityfocus.com/bid/66971 | x_refsource_MISC |
| https://framework.zend.com/security/advisory/ZF2014-03 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zendframework | zendframework |
Affected:
Fixed: Zend Framework 2.2.7
Affected: Zend Framework 2.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework",
"versions": [
{
"status": "affected",
"version": "Fixed: Zend Framework 2.2.7"
},
{
"status": "affected",
"version": "Zend Framework 2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Potential XSS vector in multiple view helpers",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-15T21:24:36.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/66971"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-4913",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zendframework",
"version": {
"version_data": [
{
"version_value": "Fixed: Zend Framework 2.2.7"
},
{
"version_value": "Zend Framework 2.3.1"
}
]
}
}
]
},
"vendor_name": "zendframework"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZF2014-03 has a potential cross site scripting vector in multiple view helpers"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Potential XSS vector in multiple view helpers"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2014-4913",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-4913"
},
{
"name": "https://access.redhat.com/security/cve/cve-2014-4913",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2014-4913"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/07/11/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "http://www.securityfocus.com/bid/66971",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/66971"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2014-03",
"refsource": "MISC",
"url": "https://framework.zend.com/security/advisory/ZF2014-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4913",
"datePublished": "2019-12-15T21:24:36.000Z",
"dateReserved": "2014-07-11T00:00:00.000Z",
"dateUpdated": "2024-08-06T11:34:36.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-1939 (GCVE-0-2011-1939)
Vulnerability from nvd – Published: 2019-11-26 21:17 – Updated: 2024-08-06 22:46
VLAI
Summary
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
Severity
No CVSS data available.
CWE
- potential SQL injection vector when using PDO_MySql (ZF2011-02)
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/47919 | vdb-entryx_refsource_BID |
| https://security-tracker.debian.org/tracker/CVE-2… | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_MISC |
| https://access.redhat.com/security/cve/cve-2011-1939 | x_refsource_MISC |
| http://security.gentoo.org/glsa/glsa-201408-01.xml | x_refsource_MISC |
| https://framework.zend.com/security/advisory/ZF2011-02 | x_refsource_CONFIRM |
| https://bugs.php.net/bug.php?id=47802 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| zendframework;PHP | zendframework |
Affected:
1.10.x before 1.10.9
Affected: 1.11.x before 1.11.6 |
|
| zendframework;PHP | PHP |
Affected:
before 5.3.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:46:00.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zendframework",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "1.10.x before 1.10.9"
},
{
"status": "affected",
"version": "1.11.x before 1.11.6"
}
]
},
{
"product": "PHP",
"vendor": "zendframework;PHP",
"versions": [
{
"status": "affected",
"version": "before 5.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "potential SQL injection vector when using PDO_MySql (ZF2011-02)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-26T21:17:37.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47919",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47919"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-1939"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://security.gentoo.org/glsa/glsa-201408-01.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2011-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.php.net/bug.php?id=47802"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1939",
"datePublished": "2019-11-26T21:17:37.000Z",
"dateReserved": "2011-05-09T00:00:00.000Z",
"dateUpdated": "2024-08-06T22:46:00.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4914 (GCVE-0-2014-4914)
Vulnerability from nvd – Published: 2017-12-29 14:00 – Updated: 2024-08-06 11:34
VLAI
Summary
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| http://secunia.com/advisories/58847 | third-party-advisoryx_refsource_SECUNIA |
| http://openwall.com/lists/oss-security/2014/07/11/4 | mailing-listx_refsource_MLIST |
| http://jvn.jp/en/jp/JVN71730320/index.html | third-party-advisoryx_refsource_JVN |
| http://www.securityfocus.com/bid/68031 | vdb-entryx_refsource_BID |
| http://framework.zend.com/security/advisory/ZF2014-04 | x_refsource_CONFIRM |
| https://www.debian.org/security/2015/dsa-3265 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2014-06-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-30T10:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "58847",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58847"
},
{
"name": "[oss-security] 20140711 Re: Zend Framework CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/07/11/4"
},
{
"name": "JVN#71730320",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN71730320/index.html"
},
{
"name": "68031",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/68031"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2014-04"
},
{
"name": "DSA-3265",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2015/dsa-3265"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-4914",
"datePublished": "2017-12-29T14:00:00.000Z",
"dateReserved": "2014-07-11T00:00:00.000Z",
"dateUpdated": "2024-08-06T11:34:36.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7503 (GCVE-0-2015-7503)
Vulnerability from nvd – Published: 2017-10-10 16:00 – Updated: 2024-08-06 07:51
VLAI
Summary
Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://framework.zend.com/security/advisory/ZF2015-10 | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=1283137 | x_refsource_CONFIRM |
Date Public
2015-11-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T15:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2015-10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283137"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7503",
"datePublished": "2017-10-10T16:00:00.000Z",
"dateReserved": "2015-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:51:28.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1555 (GCVE-0-2015-1555)
Vulnerability from nvd – Published: 2017-08-07 17:00 – Updated: 2024-08-06 04:47
VLAI
Summary
Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| http://framework.zend.com/security/advisory/ZF2015-01 | x_refsource_CONFIRM |
Date Public
2015-01-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:16.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://framework.zend.com/security/advisory/ZF2015-01",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1555",
"datePublished": "2017-08-07T17:00:00.000Z",
"dateReserved": "2015-02-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:47:16.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1786 (GCVE-0-2015-1786)
Vulnerability from nvd – Published: 2017-06-08 21:00 – Updated: 2024-08-06 04:54
VLAI
Summary
Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://framework.zend.com/changelog/2.3.6 | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=1207781 | x_refsource_CONFIRM |
Date Public
2015-03-31 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:54:16.104Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/changelog/2.3.6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-03-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-08T20:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/changelog/2.3.6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://framework.zend.com/changelog/2.3.6",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/changelog/2.3.6"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207781"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1786",
"datePublished": "2017-06-08T21:00:00.000Z",
"dateReserved": "2015-02-17T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:54:16.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6233 (GCVE-0-2016-6233)
Vulnerability from nvd – Published: 2017-02-16 18:00 – Updated: 2024-08-06 01:22
VLAI
Summary
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.gentoo.org/glsa/201804-10 | vendor-advisoryx_refsource_GENTOO |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://framework.zend.com/security/advisory/ZF2016-02 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/91802 | vdb-entryx_refsource_BID |
Date Public
2016-07-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:22:20.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-02"
},
{
"name": "91802",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91802"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\\w]* in a regular expression."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-21T09:57:02.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-02"
},
{
"name": "91802",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91802"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-6233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\\w]* in a regular expression."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-666d95d1d5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2016-02",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/security/advisory/ZF2016-02"
},
{
"name": "91802",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91802"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-6233",
"datePublished": "2017-02-16T18:00:00.000Z",
"dateReserved": "2016-07-16T00:00:00.000Z",
"dateUpdated": "2024-08-06T01:22:20.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4861 (GCVE-0-2016-4861)
Vulnerability from nvd – Published: 2017-02-16 18:00 – Updated: 2024-08-06 00:46
VLAI
Summary
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.gentoo.org/glsa/201804-10 | vendor-advisoryx_refsource_GENTOO |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.debian.org/debian-lts-announce/2018… | mailing-listx_refsource_MLIST |
| https://framework.zend.com/security/advisory/ZF2016-03 | x_refsource_CONFIRM |
| http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158 | third-party-advisoryx_refsource_JVNDB |
| http://jvn.jp/en/jp/JVN18926672/index.html | third-party-advisoryx_refsource_JVN |
Date Public
2016-09-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:46:38.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "[debian-lts-announce] 20180628 [SECURITY] [DLA 1403-1] zendframework security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-03"
},
{
"name": "JVNDB-2016-000158",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158"
},
{
"name": "JVN#18926672",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN18926672/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-21T09:57:02.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "FEDORA-2016-666d95d1d5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "[debian-lts-announce] 20180628 [SECURITY] [DLA 1403-1] zendframework security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-03"
},
{
"name": "JVNDB-2016-000158",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158"
},
{
"name": "JVN#18926672",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN18926672/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2016-4861",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-666d95d1d5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"
},
{
"name": "GLSA-201804-10",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "FEDORA-2016-7f193a0c59",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"
},
{
"name": "FEDORA-2016-77e5105570",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"
},
{
"name": "[debian-lts-announce] 20180628 [SECURITY] [DLA 1403-1] zendframework security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2016-03",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/security/advisory/ZF2016-03"
},
{
"name": "JVNDB-2016-000158",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158"
},
{
"name": "JVN#18926672",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN18926672/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2016-4861",
"datePublished": "2017-02-16T18:00:00.000Z",
"dateReserved": "2016-05-17T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:46:38.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10034 (GCVE-0-2016-10034)
Vulnerability from nvd – Published: 2016-12-30 19:00 – Updated: 2024-08-06 03:07
VLAI
Summary
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://security.gentoo.org/glsa/201804-10 | vendor-advisoryx_refsource_GENTOO |
| https://www.exploit-db.com/exploits/42221/ | exploitx_refsource_EXPLOIT-DB |
| https://framework.zend.com/security/advisory/ZF2016-04 | x_refsource_CONFIRM |
| https://legalhackers.com/advisories/ZendFramework… | x_refsource_MISC |
| https://www.exploit-db.com/exploits/40979/ | exploitx_refsource_EXPLOIT-DB |
| http://www.securitytracker.com/id/1037539 | vdb-entryx_refsource_SECTRACK |
| https://www.exploit-db.com/exploits/40986/ | exploitx_refsource_EXPLOIT-DB |
| http://www.securityfocus.com/bid/95144 | vdb-entryx_refsource_BID |
Date Public
2016-12-20 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:31.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "42221",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-04"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html"
},
{
"name": "40979",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40979/"
},
{
"name": "1037539",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037539"
},
{
"name": "40986",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "95144",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted e-mail address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-21T09:57:02.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-201804-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "42221",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://framework.zend.com/security/advisory/ZF2016-04"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html"
},
{
"name": "40979",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40979/"
},
{
"name": "1037539",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037539"
},
{
"name": "40986",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "95144",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95144"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10034",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted e-mail address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201804-10",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201804-10"
},
{
"name": "42221",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"name": "https://framework.zend.com/security/advisory/ZF2016-04",
"refsource": "CONFIRM",
"url": "https://framework.zend.com/security/advisory/ZF2016-04"
},
{
"name": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html",
"refsource": "MISC",
"url": "https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html"
},
{
"name": "40979",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40979/"
},
{
"name": "1037539",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037539"
},
{
"name": "40986",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "95144",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95144"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10034",
"datePublished": "2016-12-30T19:00:00.000Z",
"dateReserved": "2016-12-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:07:31.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7695 (GCVE-0-2015-7695)
Vulnerability from nvd – Published: 2016-06-07 14:00 – Updated: 2024-08-06 07:58
VLAI
Summary
The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2015/09/30/8 | mailing-listx_refsource_MLIST |
| http://www.debian.org/security/2015/dsa-3369 | vendor-advisoryx_refsource_DEBIAN |
| http://www.openwall.com/lists/oss-security/2015/10/11/3 | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2015/09/30/6 | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/76784 | vdb-entryx_refsource_BID |
| http://framework.zend.com/security/advisory/ZF2015-08 | x_refsource_CONFIRM |
Date Public
2015-09-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160930 Re: CVE Request: zendframework SQL injections",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/8"
},
{
"name": "DSA-3369",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "[oss-security] 20161011 Re: CVE Request: zendframework SQL injections",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/11/3"
},
{
"name": "[oss-security] 20160930 CVE Request: zendframework SQL injections",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/6"
},
{
"name": "76784",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76784"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-08"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160930 Re: CVE Request: zendframework SQL injections",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/8"
},
{
"name": "DSA-3369",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "[oss-security] 20161011 Re: CVE Request: zendframework SQL injections",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/11/3"
},
{
"name": "[oss-security] 20160930 CVE Request: zendframework SQL injections",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/6"
},
{
"name": "76784",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/76784"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-08"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7695",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160930 Re: CVE Request: zendframework SQL injections",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/8"
},
{
"name": "DSA-3369",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "[oss-security] 20161011 Re: CVE Request: zendframework SQL injections",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/10/11/3"
},
{
"name": "[oss-security] 20160930 CVE Request: zendframework SQL injections",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/6"
},
{
"name": "76784",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/76784"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2015-08",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-08"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7695",
"datePublished": "2016-06-07T14:00:00.000Z",
"dateReserved": "2015-10-04T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:58:59.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5723 (GCVE-0-2015-5723)
Vulnerability from nvd – Published: 2016-06-07 14:00 – Updated: 2024-08-06 06:59
VLAI
Summary
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.debian.org/security/2015/dsa-3369 | vendor-advisoryx_refsource_DEBIAN |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| http://www.doctrine-project.org/2015/08/31/securi… | x_refsource_CONFIRM |
| http://framework.zend.com/security/advisory/ZF2015-07 | x_refsource_CONFIRM |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
Date Public
2015-09-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:59:04.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3369",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "FEDORA-2016-8dc0af2c29",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-07"
},
{
"name": "FEDORA-2016-fa7e683c6e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T20:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3369",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "FEDORA-2016-8dc0af2c29",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://framework.zend.com/security/advisory/ZF2015-07"
},
{
"name": "FEDORA-2016-fa7e683c6e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5723",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3369",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "FEDORA-2016-8dc0af2c29",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/"
},
{
"name": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html",
"refsource": "CONFIRM",
"url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2015-07",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-07"
},
{
"name": "FEDORA-2016-fa7e683c6e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5723",
"datePublished": "2016-06-07T14:00:00.000Z",
"dateReserved": "2015-08-03T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:59:04.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}