Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/zendframework/zendframework@2.5.1

Type composer

Namespace zendframework

Name zendframework

Version 2.5.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.5.2

Latest_non_vulnerable_version 2.5.2

Affected_by_vulnerabilities

url VCID-8fwb-56kb-jubf

vulnerability_id VCID-8fwb-56kb-jubf

summary

Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey
Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.

references

reference_url	http://framework.zend.com/security/advisory/ZF2015-10
reference_id
reference_type
scores
url	http://framework.zend.com/security/advisory/ZF2015-10

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2015-7503

reference_id

reference_type

scores

value	0.00249
scoring_system	epss
scoring_elements	0.48349
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2015-7503

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=1283137

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=1283137

reference_url

https://framework.zend.com/security/advisory/ZF2015-10

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://framework.zend.com/security/advisory/ZF2015-10

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-crypt/CVE-2015-7503.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-crypt/CVE-2015-7503.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-7503.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-7503.yaml

reference_url

https://github.com/zendframework/zendframework

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zendframework

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2015-7503

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2015-7503

fixed_packages

url	pkg:composer/zendframework/zendframework@2.5.2
purl	pkg:composer/zendframework/zendframework@2.5.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.2

aliases CVE-2015-7503, GHSA-pm9m-w23q-5967

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8fwb-56kb-jubf

url VCID-njsg-e1w1-9qcy

vulnerability_id VCID-njsg-e1w1-9qcy

summary

XXE/XEE vulnerability via multibyte payloads
There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

references

reference_url	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
reference_id
reference_type
scores
url	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161

reference_url

http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html

reference_url

http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2015-5161

reference_id

reference_type

scores

value	0.39093
scoring_system	epss
scoring_elements	0.97355
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2015-5161

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161

reference_url

http://seclists.org/fulldisclosure/2015/Aug/46

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://seclists.org/fulldisclosure/2015/Aug/46

reference_url

https://framework.zend.com/security/advisory/ZF2015-06

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://framework.zend.com/security/advisory/ZF2015-06

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml

reference_url

https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532

reference_url

https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b

reference_url

https://github.com/zendframework/zf1/issues/393

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zf1/issues/393

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2015-5161

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2015-5161

reference_url

https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177

reference_url

https://www.exploit-db.com/exploits/37765

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.exploit-db.com/exploits/37765

reference_url

http://www.debian.org/security/2015/dsa-3340

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.debian.org/security/2015/dsa-3340

reference_url

http://www.securityfocus.com/bid/76177

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/76177

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/37765.txt
reference_id	CVE-2015-5161
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/37765.txt

reference_url

http://framework.zend.com/security/advisory/ZF2015-06

reference_id

CVE-2015-5161;OSVDB-125783

reference_type

exploit

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://framework.zend.com/security/advisory/ZF2015-06

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/38573.txt
reference_id	CVE-2015-5161;OSVDB-125783
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/38573.txt

fixed_packages

url	pkg:composer/zendframework/zendframework@2.5.2
purl	pkg:composer/zendframework/zendframework@2.5.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.2

aliases CVE-2015-5161, GHSA-xp8p-9rq5-4wgv

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-njsg-e1w1-9qcy

url VCID-vmut-b2y4-rkcp

vulnerability_id VCID-vmut-b2y4-rkcp

summary

Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word
Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

references

reference_url	http://framework.zend.com/security/advisory/ZF2015-09
reference_id
reference_type
scores
url	http://framework.zend.com/security/advisory/ZF2015-09

fixed_packages

url	pkg:composer/zendframework/zendframework@2.5.2
purl	pkg:composer/zendframework/zendframework@2.5.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.2

aliases GMS-2015-48

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vmut-b2y4-rkcp

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.1

Package Instance