Search for packages
| purl | pkg:composer/zendframework/zendframework@2.4.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8atm-865q-mkf3
Aliases: ZF2015-09 |
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-8d1t-m4zy-dkf4
Aliases: GHSA-fh7r-58q4-6387 |
Zendframework URL Rewrite vulnerability zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content. |
Affected by 3 other vulnerabilities. |
|
VCID-8fwb-56kb-jubf
Aliases: CVE-2015-7503 GHSA-pm9m-w23q-5967 |
Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q74z-645k-c7dk
Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2 |
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
Affected by 8 other vulnerabilities. |
|
VCID-qs6q-pjks-euh4
Aliases: ZF2016-04 |
Remote code execution in zend-mail via Sendmail adapter A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vmut-b2y4-rkcp
Aliases: GMS-2015-48 |
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wrkx-jstz-8bhe
Aliases: GHSA-2fhr-8r8r-qp56 |
ZendFramework Information Disclosure and Insufficient Entropy vulnerability In Zend Framework, `Zend_Captcha_Word` (v1) and `Zend\Captcha\Word` (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's `internal array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 4 other vulnerabilities. |
|
VCID-wz4g-j8zt-ruff
Aliases: ZF2018-01 |
URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-zfzg-uw7s-byhp
Aliases: GHSA-gff2-p6vm-3p8g |
ZendFramework potential remote code execution in zend-mail via Sendmail adapter When using the zend-mail component to send email via the `Zend\Mail\Transport\Sendmail transport`, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||