{"url":"http://public2.vulnerablecode.io/api/packages/202030?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.4.0rc1","type":"composer","namespace":"zendframework","name":"zend-captcha","version":"2.4.0rc1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.4.9","latest_non_vulnerable_version":"2.5.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37949?format=json","vulnerability_id":"VCID-5cz1-j5rs-dub8","summary":"Potential Information Disclosure and Insufficient Entropy in Zend\\Captcha\\Word\nZend generates a \"word\" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[],"url":"http://framework.zend.com/security/advisory/ZF2015-09"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52409?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/52410?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2"}],"aliases":["GMS-2015-47"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5cz1-j5rs-dub8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37948?format=json","vulnerability_id":"VCID-8atm-865q-mkf3","summary":"Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\\Captcha\\Word`.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2015-09"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52409?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/52410?format=json","purl":"pkg:composer/zendframework/zend-captcha@2.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2"}],"aliases":["ZF2015-09"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8atm-865q-mkf3"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.0rc1"}