Search for packages
| purl | pkg:deb/debian/zendframework@1.10.6-1squeeze6 |
| Next non-vulnerable version | 1.12.9+dfsg-2+deb8u6 |
| Latest non-vulnerable version | 1.12.9+dfsg-2+deb8u6 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5bm4-grk6-w7hk
Aliases: CVE-2015-3154 GHSA-5957-5crx-79jx |
CRLF Injection Potential CRLF injection attacks in mail and HTTP headers. |
Affected by 4 other vulnerabilities. |
|
VCID-6fzg-den8-rqc8
Aliases: CVE-2014-2681 GHSA-43xg-87xw-jpv8 |
Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657. |
Affected by 4 other vulnerabilities. |
|
VCID-6xpr-93ef-27cu
Aliases: CVE-2014-8088 GHSA-f6rc-rh43-h8gr |
Improper Authentication The (1) `Zend_Ldap` class in Zend and (2) `Zend dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. |
Affected by 4 other vulnerabilities. |
|
VCID-njsg-e1w1-9qcy
Aliases: CVE-2015-5161 GHSA-xp8p-9rq5-4wgv |
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nww8-u5fu-xqem
Aliases: DSA-3265-2 zendframework |
regression update |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q74z-645k-c7dk
Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2 |
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r5y8-nc2w-kqde
Aliases: CVE-2014-8089 GHSA-qh9w-r7g5-q939 |
SQL Injection SQL injection vector when manually quoting values for `sqlsrv` extension, using null byte. |
Affected by 4 other vulnerabilities. |
|
VCID-r6mq-kyr4-eue4
Aliases: CVE-2014-4914 |
Affected by 4 other vulnerabilities. |
|
|
VCID-tpdc-c3mz-zyd2
Aliases: CVE-2014-2682 GHSA-gp39-h9c2-qw79 |
Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657. |
Affected by 4 other vulnerabilities. |
|
VCID-uvgx-4m6v-2bg7
Aliases: CVE-2015-7695 GHSA-2hvh-c5c2-vj85 |
SQL injection vector using null byte for PDO The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v75g-pqp3-qqhb
Aliases: CVE-2014-2684 |
Affected by 4 other vulnerabilities. |
|
|
VCID-wkkp-82dc-huhr
Aliases: CVE-2014-2683 GHSA-5wm2-38q5-5rxv |
Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532. |
Affected by 4 other vulnerabilities. |
|
VCID-wm9p-tvbu-qkf5
Aliases: CVE-2014-2685 |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||