Search for packages
| purl | pkg:composer/zendframework/zendframework@2.4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8atm-865q-mkf3
Aliases: ZF2015-09 |
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-8d1t-m4zy-dkf4
Aliases: GHSA-fh7r-58q4-6387 |
Zendframework URL Rewrite vulnerability zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content. |
Affected by 3 other vulnerabilities. |
|
VCID-8fwb-56kb-jubf
Aliases: CVE-2015-7503 GHSA-pm9m-w23q-5967 |
Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-njsg-e1w1-9qcy
Aliases: CVE-2015-5161 GHSA-xp8p-9rq5-4wgv |
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q74z-645k-c7dk
Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2 |
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
Affected by 8 other vulnerabilities. |
|
VCID-qs6q-pjks-euh4
Aliases: ZF2016-04 |
Remote code execution in zend-mail via Sendmail adapter A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vmut-b2y4-rkcp
Aliases: GMS-2015-48 |
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wrkx-jstz-8bhe
Aliases: GHSA-2fhr-8r8r-qp56 |
ZendFramework Information Disclosure and Insufficient Entropy vulnerability In Zend Framework, `Zend_Captcha_Word` (v1) and `Zend\Captcha\Word` (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's `internal array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 4 other vulnerabilities. |
|
VCID-wz4g-j8zt-ruff
Aliases: ZF2018-01 |
URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-zfzg-uw7s-byhp
Aliases: GHSA-gff2-p6vm-3p8g |
ZendFramework potential remote code execution in zend-mail via Sendmail adapter When using the zend-mail component to send email via the `Zend\Mail\Transport\Sendmail transport`, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||