{"url":"http://public2.vulnerablecode.io/api/packages/202024?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.3.4","type":"composer","namespace":"zendframework","name":"zend-captcha","version":"2.3.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.4.9","latest_non_vulnerable_version":"2.5.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37949?format=json","vulnerability_id":"VCID-5cz1-j5rs-dub8","summary":"Potential Information Disclosure and Insufficient Entropy in Zend\\Captcha\\Word\nZend generates a \"word\" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[],"url":"http://framework.zend.com/security/advisory/ZF2015-09"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52409?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/52410?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2"}],"aliases":["GMS-2015-47"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5cz1-j5rs-dub8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37948?format=json","vulnerability_id":"VCID-8atm-865q-mkf3","summary":"Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\\Captcha\\Word`.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2015-09"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52409?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/52410?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2"}],"aliases":["ZF2015-09"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8atm-865q-mkf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55278?format=json","vulnerability_id":"VCID-ud17-u8e3-8qaj","summary":"Zend-Captcha Information Disclosure and Insufficient Entropy vulnerability\nIn Zend Framework, `Zend_Captcha_Word` (v1) and `Zend\\Captcha\\Word` (v2) generate a \"word\" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2015-09"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-captcha/ZF2015-09.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-captcha/ZF2015-09.yaml"},{"reference_url":"https://github.com/zendframework/zend-captcha","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zend-captcha"},{"reference_url":"https://github.com/zendframework/zend-captcha/commit/43c276df6e94e498bf530538aea53876a24fc47c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zend-captcha/commit/43c276df6e94e498bf530538aea53876a24fc47c"},{"reference_url":"https://github.com/zendframework/zend-captcha/commit/5561ef813bb4ad814e835343289dc5077d2eb262","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zend-captcha/commit/5561ef813bb4ad814e835343289dc5077d2eb262"},{"reference_url":"https://github.com/advisories/GHSA-mg4x-prh7-g4mx","reference_id":"GHSA-mg4x-prh7-g4mx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mg4x-prh7-g4mx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52409?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/52410?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2"}],"aliases":["GHSA-mg4x-prh7-g4mx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ud17-u8e3-8qaj"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.3.4"}