Search for packages
| purl | pkg:composer/zendframework/zend-session@2.3.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2g8z-51nu-17hs
Aliases: ZF2015-01 |
Session Fixation Session validation vulnerability. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mra6-33ez-xbda
Aliases: GHSA-96c6-m98x-hxjx |
Zend-Session session validation vulnerability `Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T16:21:55.524733+00:00 | GitLab Importer | Affected by | VCID-mra6-33ez-xbda | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zend-session/GHSA-96c6-m98x-hxjx.yml | 38.6.0 |
| 2026-06-02T04:36:20.663427+00:00 | GitLab Importer | Affected by | VCID-2g8z-51nu-17hs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zend-session/ZF2015-01.yml | 38.6.0 |