Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/zendframework/zendopenid@2.0.2
purl pkg:composer/zendframework/zendopenid@2.0.2
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (5)
Vulnerability Summary Aliases
VCID-6fzg-den8-rqc8 Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657. CVE-2014-2681
GHSA-43xg-87xw-jpv8
VCID-afnn-53q5-wqft Improper Authentication Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer. ZF2014-02
VCID-e8sg-z3kf-zqet ZendOpenID potential security issue in login mechanism Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework. Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed. GHSA-3x57-m5p4-rgh4
VCID-tpdc-c3mz-zyd2 Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657. CVE-2014-2682
GHSA-gp39-h9c2-qw79
VCID-wkkp-82dc-huhr Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532. CVE-2014-2683
GHSA-5wm2-38q5-5rxv

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-05T21:45:08.702232+00:00 GHSA Importer Fixing VCID-e8sg-z3kf-zqet https://github.com/advisories/GHSA-3x57-m5p4-rgh4 38.6.0
2026-06-04T18:03:30.439094+00:00 GithubOSV Importer Fixing VCID-wkkp-82dc-huhr https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5wm2-38q5-5rxv/GHSA-5wm2-38q5-5rxv.json 38.6.0
2026-06-04T18:02:21.344906+00:00 GithubOSV Importer Fixing VCID-6fzg-den8-rqc8 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-43xg-87xw-jpv8/GHSA-43xg-87xw-jpv8.json 38.6.0
2026-06-04T18:00:05.469744+00:00 GithubOSV Importer Fixing VCID-tpdc-c3mz-zyd2 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json 38.6.0
2026-06-04T16:50:58.794491+00:00 GithubOSV Importer Fixing VCID-e8sg-z3kf-zqet https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3x57-m5p4-rgh4/GHSA-3x57-m5p4-rgh4.json 38.6.0
2026-06-04T16:21:55.451692+00:00 GitLab Importer Fixing VCID-e8sg-z3kf-zqet https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendopenid/GHSA-3x57-m5p4-rgh4.yml 38.6.0
2026-06-02T04:43:21.225901+00:00 GitLab Importer Fixing VCID-6fzg-den8-rqc8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendopenid/CVE-2014-2681.yml 38.6.0
2026-06-02T04:43:11.077718+00:00 GitLab Importer Fixing VCID-wkkp-82dc-huhr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendopenid/CVE-2014-2683.yml 38.6.0
2026-06-02T04:43:08.827599+00:00 GitLab Importer Fixing VCID-tpdc-c3mz-zyd2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendopenid/CVE-2014-2682.yml 38.6.0
2026-06-02T04:36:13.568844+00:00 GitLab Importer Fixing VCID-afnn-53q5-wqft https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendopenid/ZF2014-02.yml 38.6.0