Search for packages
| purl | pkg:composer/zendframework/zendframework1@1.12.13 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2ncq-wptr-k3ha
Aliases: ZF2015-08 |
SQL Injection Potential SQL injection vector using null byte for PDO (MsSql, SQLite). |
Affected by 7 other vulnerabilities. |
|
VCID-2xx4-77e9-pfbb
Aliases: ZF2016-02 |
Potential SQL injection The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` of ZF1 is vulnerable by the following SQL injection. |
Affected by 1 other vulnerability. |
|
VCID-8atm-865q-mkf3
Aliases: ZF2015-09 |
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`. |
Affected by 5 other vulnerabilities. |
|
VCID-bjvu-jg9w-mqdd
Aliases: CVE-2016-6233 GHSA-p9hp-3gpv-52w3 |
SQL Injection The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern `[\w]*` in a regular expression. |
Affected by 1 other vulnerability. |
|
VCID-n2gy-93nd-gber
Aliases: ZF2016-01 |
Potential Insufficient Entropy Vulnerability in ZF1. |
Affected by 3 other vulnerabilities. |
|
VCID-njsg-e1w1-9qcy
Aliases: CVE-2015-5161 GHSA-xp8p-9rq5-4wgv |
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment. |
Affected by 10 other vulnerabilities. |
|
VCID-q73m-16a9-rkgx
Aliases: GMS-2015-49 |
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 5 other vulnerabilities. |
|
VCID-q74z-645k-c7dk
Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2 |
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
Affected by 7 other vulnerabilities. |
|
VCID-rc3w-5r97-k3b3
Aliases: ZF2016-03 |
Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in `Zend_Db_Select` is prone to SQL injection when a combination of SQL expressions and comments are used. |
Affected by 0 other vulnerabilities. |
|
VCID-sjw9-2fwe-5ybg
Aliases: ZF2016-11 |
Potential Insufficient Entropy There are several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. Moreover, there's a potential security issue in the usage of the `openssl_random_pseudo_bytes()` function in `Zend_Crypt_Math::randBytes`, reported in PHP BUG #70014, and the security implications reported in a discussion on the `random_compat` library. |
Affected by 3 other vulnerabilities. |
|
VCID-uvgx-4m6v-2bg7
Aliases: CVE-2015-7695 GHSA-2hvh-c5c2-vj85 |
SQL injection vector using null byte for PDO The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters. |
Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||