Search for packages
| purl | pkg:composer/zendframework/zendframework@2.0.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-29vd-mbdm-juh6
Aliases: GHSA-xg9w-r469-m455 |
ZendFramework Potential Information Disclosure and Insufficient Entropy vulnerabilities In Zend Framework 2, the `Zend\Math\Rand` component generates random bytes using the OpenSSL or Mcrypt extensions when available but will otherwise use PHP's `mt_rand()` function as a fallback. All outputs from `mt_rand()` are predictable for the same PHP process if an attacker can brute force the seed used by the Marsenne-Twister algorithm in a Seed Recovery Attack. This attack can be successfully applied with minimum effort if the attacker has access to either a random number from `mt_rand()` or a Session ID generated without using additional entropy. This makes `mt_rand()` unsuitable for generating non-trivial random bytes since it has Insufficient Entropy to protect against brute force attacks on the seed. The `Zend\Validate\Csrf` component generates CSRF tokens by SHA1 hashing a salt, random number possibly generated using `mt_rand()` and a form name. Where the salt is known, an attacker can brute force the SHA1 hash with minimum effort to discover the random number when `mt_rand()` is utilised as a fallback to the OpenSSL and Mcrypt extensions. This constitutes an Information Disclosure where the recovered random number may itself be brute forced to recover the seed value and predict the output of other `mt_rand()` calls for the same PHP process. This may potentially lead to vulnerabilities in areas of an application where `mt_rand()` calls exist beyond the scope of Zend Framework. |
Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-2em7-tb35-vqg8
Aliases: ZF2013-02 |
Potential Information Disclosure and Insufficient Entropy vulnerabilities in `Zend\Math\Rand` and `Zend\Validate\Csrf` Components. |
Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-2g8z-51nu-17hs
Aliases: ZF2015-01 |
Session Fixation Session validation vulnerability. |
Affected by 14 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-3s39-f3q9-33ep
Aliases: GHSA-62f6-h68r-3jpw |
Zendframework session validation vulnerability `Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where `$this->manager` is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the "signature" that these validators check against is not being stored in the session. |
Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-5bm4-grk6-w7hk
Aliases: CVE-2015-3154 GHSA-5957-5crx-79jx |
CRLF Injection Potential CRLF injection attacks in mail and HTTP headers. |
Affected by 14 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-6xpr-93ef-27cu
Aliases: CVE-2014-8088 GHSA-f6rc-rh43-h8gr |
Improper Authentication The (1) `Zend_Ldap` class in Zend and (2) `Zend
dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-8atm-865q-mkf3
Aliases: ZF2015-09 |
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-8d1t-m4zy-dkf4
Aliases: GHSA-fh7r-58q4-6387 |
Zendframework URL Rewrite vulnerability zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content. |
Affected by 3 other vulnerabilities. |
|
VCID-8fwb-56kb-jubf
Aliases: CVE-2015-7503 GHSA-pm9m-w23q-5967 |
Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9z4g-byhj-3fak
Aliases: CVE-2015-0270 GHSA-v59p-p692-v382 |
SQL Injection Zend Framework has Potential SQL injection in PostgreSQL `Zend\Db` adapter. |
Affected by 14 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-bd5k-r14f-guaz
Aliases: GHSA-mg7h-9qfx-4r83 |
ZendFramework Potential Proxy Injection Vulnerabilities `Zend\Session\Validator\RemoteAddr` and `Zend\View\Helper\ServerUrl` were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name. In `Zend\Session\Validator\RemoteAddr`, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups. In `Zend\View\Helper\ServerUrl`, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided. |
Affected by 23 other vulnerabilities. |
|
VCID-de8f-p8x2-fbfr
Aliases: ZF2013-03 |
SQL Injection Potential SQL injection due to execution of platform-specific SQL containing interpolations. |
Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-eezd-92tv-mkdf
Aliases: ZF2014-03 |
Cross-site Scripting Potential XSS vector in multiple view helpers. |
Affected by 15 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-fzj7-v53w-77ar
Aliases: ZF2012-04 |
Unintended Proxy or Intermediary ('Confused Deputy') Potential Proxy Injection Vulnerabilities in Multiple Zend Framework 2 Components. |
Affected by 23 other vulnerabilities. |
|
VCID-gtaf-3rjb-dycj
Aliases: GHSA-jq87-2wxp-8349 |
ZendFramework Route Parameter Injection Via Query String in `Zend\Mvc` In Zend Framework 2, `Zend\Mvc\Router\Http\Query` is used primarily to allow appending query strings to URLs when assembled. However, due to the fact that it captures any query parameters into the RouteMatch, and the fact that RouteMatch parameters are merged with any parent routes, this can lead to overriding already captured routing parameters, bypassing constraints defined in the parents. As an example, consider the following route definition: ``` array( 'user' => array( 'type' => 'segment', 'options' => array( 'route' => '/user/:key', 'defaults' => array( 'controller' => 'UserController', 'action' => 'show-action', ), 'constraints' => array( 'key' => '[a-z0-9]+', ), ), 'child_routes' => array( 'query' => array('type' => 'query'), ), ), ) ``` If the request URI was /user/foo/?controller=SecretController&key=invalid_value, the RouteMatch returned after routing would contain the following: ``` array( 'controller' => 'SecretController', 'action' => 'show-action', 'key' => 'invalid_value', ) ``` This would lead to execution of a different controller than intended, with a value for the key parameter that bypassed the constraints outlined in the parent route. |
Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-njsg-e1w1-9qcy
Aliases: CVE-2015-5161 GHSA-xp8p-9rq5-4wgv |
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q74z-645k-c7dk
Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2 |
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
Affected by 8 other vulnerabilities. |
|
VCID-qs6q-pjks-euh4
Aliases: ZF2016-04 |
Remote code execution in zend-mail via Sendmail adapter A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-tzsh-fvb6-s7f1
Aliases: GHSA-x2f4-8wxf-w3vf |
ZendFramework SQL injection due to execution of platform-specific SQL containing interpolations The `Zend\Db` component in Zend Framework 2 provides platform abstraction, which is used in particular for SQL abstraction. Two methods defined in the platform interface, `quoteValue()` and `quoteValueList()`, allow users to manually quote values for creating SQL statements; these are in turn consumed by aspects of the SQL abstraction platform, including `Zend\Db\Sql\Sql::getSqlStringForSqlObject()`, and the `getSqlString()` method provided in a number of classes in the Zend\Db\Sql namespace. While these methods are primarily intended for debugging and logging purposes, developers can use them to produce SQL that is then passed to the driver to execute. Due to a flaw in how the `quoteValue()` and `quoteValueList()` methods were written, this can lead to potential SQL injection. The offending code is located in any of the `Zend\Db\Adapter\Platform*` objects, particularly the quoteValue() and `quoteValueList()` methods. These methods did not take into account most of the possible escapable characters that would need to be escaped when attempting to create a quoted value for interpolation into a SQL string. Moreover, these methods did value quoting without extension level coordination which, when available, takes character-sets into account when quoting. |
Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-ux4f-q4es-gua5
Aliases: ZF2013-01 |
Paramter Injection Route Parameter Injection Via Query String in `Zend\Mvc`. |
Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-vmut-b2y4-rkcp
Aliases: GMS-2015-48 |
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wrkx-jstz-8bhe
Aliases: GHSA-2fhr-8r8r-qp56 |
ZendFramework Information Disclosure and Insufficient Entropy vulnerability In Zend Framework, `Zend_Captcha_Word` (v1) and `Zend\Captcha\Word` (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's `internal array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 4 other vulnerabilities. |
|
VCID-wz4g-j8zt-ruff
Aliases: ZF2018-01 |
URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-z3nr-p8zz-4bey
Aliases: GHSA-8q77-cv62-jj38 |
Zendframework has potential Cross-site Scripting vector in multiple view helpers Many Zend Framework 2 view helpers were using the `escapeHtml()` view helper in order to escape HTML attributes, instead of the more appropriate `escapeHtmlAttr()`. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting (XSS) attack vectors. Vulnerable view helpers include: - All `Zend\Form` view helpers. - Most `Zend\Navigation` (aka `Zend\View\Helper\Navigation\*`) view helpers. - All "HTML Element" view helpers: `htmlFlash()`, `htmlPage()`, `htmlQuickTime()`. - `Zend\View\Helper\Gravatar` |
Affected by 15 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-zfzg-uw7s-byhp
Aliases: GHSA-gff2-p6vm-3p8g |
ZendFramework potential remote code execution in zend-mail via Sendmail adapter When using the zend-mail component to send email via the `Zend\Mail\Transport\Sendmail transport`, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||