Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/zendframework/zendframework1@1.12.1
purl pkg:composer/zendframework/zendframework1@1.12.1
Next non-vulnerable version 1.12.20
Latest non-vulnerable version 1.12.20
Risk
Vulnerabilities affecting this package (17)
Vulnerability Summary Fixed by
VCID-2ncq-wptr-k3ha
Aliases:
ZF2015-08
SQL Injection Potential SQL injection vector using null byte for PDO (MsSql, SQLite).
1.12.16
Affected by 7 other vulnerabilities.
VCID-2xx4-77e9-pfbb
Aliases:
ZF2016-02
Potential SQL injection The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` of ZF1 is vulnerable by the following SQL injection.
1.12.19
Affected by 1 other vulnerability.
VCID-5bm4-grk6-w7hk
Aliases:
CVE-2015-3154
GHSA-5957-5crx-79jx
CRLF Injection Potential CRLF injection attacks in mail and HTTP headers.
1.12.12
Affected by 11 other vulnerabilities.
VCID-6xpr-93ef-27cu
Aliases:
CVE-2014-8088
GHSA-f6rc-rh43-h8gr
Improper Authentication The (1) `Zend_Ldap` class in Zend and (2) `Zend
dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
1.12.9
Affected by 12 other vulnerabilities.
VCID-8atm-865q-mkf3
Aliases:
ZF2015-09
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`.
1.12.17
Affected by 5 other vulnerabilities.
VCID-a72a-7k6u-rqgr
Aliases:
ZF2014-04
SQL Injection Potential SQL injection in the ORDER implementation of `Zend_Db_Select`.
1.12.7
Affected by 14 other vulnerabilities.
VCID-afnn-53q5-wqft
Aliases:
ZF2014-02
Improper Authentication Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer.
1.12.4
Affected by 15 other vulnerabilities.
VCID-bjvu-jg9w-mqdd
Aliases:
CVE-2016-6233
GHSA-p9hp-3gpv-52w3
SQL Injection The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern `[\w]*` in a regular expression.
1.12.19
Affected by 1 other vulnerability.
VCID-grk8-aj34-hqb4
Aliases:
ZF2014-01
Improper Restriction of XML External Entity Reference Potential XXE/XEE attacks using PHP functions: `simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`.
1.12.4
Affected by 15 other vulnerabilities.
VCID-n2gy-93nd-gber
Aliases:
ZF2016-01
Potential Insufficient Entropy Vulnerability in ZF1.
1.12.18
Affected by 3 other vulnerabilities.
VCID-njsg-e1w1-9qcy
Aliases:
CVE-2015-5161
GHSA-xp8p-9rq5-4wgv
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.
1.12.14
Affected by 10 other vulnerabilities.
VCID-q73m-16a9-rkgx
Aliases:
GMS-2015-49
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.
1.12.17
Affected by 5 other vulnerabilities.
VCID-q74z-645k-c7dk
Aliases:
CVE-2015-5723
GHSA-pw5c-xqf2-6xc2
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of
1.12.16
Affected by 7 other vulnerabilities.
VCID-r5y8-nc2w-kqde
Aliases:
CVE-2014-8089
GHSA-qh9w-r7g5-q939
SQL Injection SQL injection vector when manually quoting values for `sqlsrv` extension, using null byte.
1.12.9
Affected by 12 other vulnerabilities.
VCID-rc3w-5r97-k3b3
Aliases:
ZF2016-03
Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in `Zend_Db_Select` is prone to SQL injection when a combination of SQL expressions and comments are used.
1.12.20
Affected by 0 other vulnerabilities.
VCID-sjw9-2fwe-5ybg
Aliases:
ZF2016-11
Potential Insufficient Entropy There are several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. Moreover, there's a potential security issue in the usage of the `openssl_random_pseudo_bytes()` function in `Zend_Crypt_Math::randBytes`, reported in PHP BUG #70014, and the security implications reported in a discussion on the `random_compat` library.
1.12.18
Affected by 3 other vulnerabilities.
VCID-uvgx-4m6v-2bg7
Aliases:
CVE-2015-7695
GHSA-2hvh-c5c2-vj85
SQL injection vector using null byte for PDO The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters.
1.12.16
Affected by 7 other vulnerabilities.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-cp1a-fprd-9fhk Improper Restriction of XML External Entity Reference Potential XML eXternal Entity injection vectors in Zend Framework 1 `Zend_Feed` component. ZF2012-05
VCID-j5kg-jzxz-ruam ZendFramework potential XML eXternal Entity injection vectors `Zend_Feed_Rss` and `Zend_Feed_Atom` were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections. A similar issue was fixed for 1.11.13 and 1.12.0, in the `Zend_Feed::import()` factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable. GHSA-4j9x-g4x8-vcmf
VCID-nsuf-xar5-f3hj Zend Framework XXE Vulnerability The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. CVE-2012-5657
GHSA-9m5v-vq4f-mrvf

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:07:35.251500+00:00 GitLab Importer Affected by VCID-bjvu-jg9w-mqdd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2016-6233.yml 38.6.0
2026-06-04T20:06:23.000049+00:00 GitLab Importer Affected by VCID-rc3w-5r97-k3b3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2016-03.yml 38.6.0
2026-06-04T20:06:10.483041+00:00 GitLab Importer Affected by VCID-2xx4-77e9-pfbb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2016-02.yml 38.6.0
2026-06-04T20:06:04.678768+00:00 GitLab Importer Affected by VCID-uvgx-4m6v-2bg7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2015-7695.yml 38.6.0
2026-06-04T20:06:03.902527+00:00 GitLab Importer Affected by VCID-q74z-645k-c7dk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2015-5723.yml 38.6.0
2026-06-04T20:05:48.347504+00:00 GitLab Importer Affected by VCID-n2gy-93nd-gber https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2016-01.yml 38.6.0
2026-06-04T20:05:48.232819+00:00 GitLab Importer Affected by VCID-sjw9-2fwe-5ybg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2016-11.yml 38.6.0
2026-06-04T20:05:13.913668+00:00 GitLab Importer Affected by VCID-q73m-16a9-rkgx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/GMS-2015-49.yml 38.6.0
2026-06-04T20:05:12.796840+00:00 GitLab Importer Affected by VCID-8atm-865q-mkf3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2015-09.yml 38.6.0
2026-06-04T20:05:03.514159+00:00 GitLab Importer Affected by VCID-2ncq-wptr-k3ha https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2015-08.yml 38.6.0
2026-06-04T20:05:00.602296+00:00 GitLab Importer Affected by VCID-njsg-e1w1-9qcy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2015-5161.yml 38.6.0
2026-06-04T20:04:50.369254+00:00 GitLab Importer Affected by VCID-5bm4-grk6-w7hk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2015-3154.yml 38.6.0
2026-06-04T20:04:31.527658+00:00 GitLab Importer Affected by VCID-6xpr-93ef-27cu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2014-8088.yml 38.6.0
2026-06-04T20:04:28.698219+00:00 GitLab Importer Affected by VCID-r5y8-nc2w-kqde https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2014-8089.yml 38.6.0
2026-06-04T20:04:19.850248+00:00 GitLab Importer Affected by VCID-a72a-7k6u-rqgr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2014-04.yml 38.6.0
2026-06-04T20:04:01.636635+00:00 GitLab Importer Affected by VCID-grk8-aj34-hqb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2014-01.yml 38.6.0
2026-06-04T20:03:58.403045+00:00 GitLab Importer Affected by VCID-afnn-53q5-wqft https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2014-02.yml 38.6.0
2026-06-04T18:05:55.927689+00:00 GithubOSV Importer Fixing VCID-nsuf-xar5-f3hj https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9m5v-vq4f-mrvf/GHSA-9m5v-vq4f-mrvf.json 38.6.0
2026-06-04T16:50:49.546081+00:00 GithubOSV Importer Fixing VCID-j5kg-jzxz-ruam https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4j9x-g4x8-vcmf/GHSA-4j9x-g4x8-vcmf.json 38.6.0
2026-06-04T16:21:54.360394+00:00 GitLab Importer Fixing VCID-j5kg-jzxz-ruam https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/GHSA-4j9x-g4x8-vcmf.yml 38.6.0
2026-06-02T04:36:06.707110+00:00 GitLab Importer Fixing VCID-cp1a-fprd-9fhk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2012-05.yml 38.6.0