{"url":"http://public2.vulnerablecode.io/api/packages/51343?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.1","type":"composer","namespace":"zendframework","name":"zendframework1","version":"1.12.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.12.20","latest_non_vulnerable_version":"1.12.20","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37916?format=json","vulnerability_id":"VCID-2ncq-wptr-k3ha","summary":"SQL Injection\nPotential SQL injection vector using null byte for PDO (MsSql, SQLite).","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-08","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2015-08"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52374?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.16"}],"aliases":["ZF2015-08"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ncq-wptr-k3ha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38158?format=json","vulnerability_id":"VCID-2xx4-77e9-pfbb","summary":"Potential SQL injection\nThe implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` of ZF1 is vulnerable by the following SQL injection.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2016-02","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2016-02"},{"reference_url":"https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52823?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-rc3w-5r97-k3b3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.19"}],"aliases":["ZF2016-02"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2xx4-77e9-pfbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37848?format=json","vulnerability_id":"VCID-5bm4-grk6-w7hk","summary":"CRLF Injection\nPotential CRLF injection attacks in mail and HTTP headers.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2015-04","reference_id":"","reference_type":"","scores":[],"url":"http://framework.zend.com/security/advisory/ZF2015-04"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-3154","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51029","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51063","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51044","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51074","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51096","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51091","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-3154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154"},{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-04","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2015-04"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-3154.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-3154.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-3154.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-3154.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-http/CVE-2015-3154.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-http/CVE-2015-3154.yaml"},{"reference_url":"https://github.com/zendframework/zendframework","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zendframework"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-3154","reference_id":"CVE-2015-3154","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-3154"},{"reference_url":"https://github.com/advisories/GHSA-5957-5crx-79jx","reference_id":"GHSA-5957-5crx-79jx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5957-5crx-79jx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52278?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.12"}],"aliases":["CVE-2015-3154","GHSA-5957-5crx-79jx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bm4-grk6-w7hk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55313?format=json","vulnerability_id":"VCID-649h-2f2f-nbam","summary":"ZendFramework potential XML eXternal Entity injection vectors\nNumerous components utilizing PHP's `DOMDocument`, `SimpleXML`, and `xml_parse` functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-01","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2014-01"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-01.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-01.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-mhpx-3rv8-wrjm","reference_id":"GHSA-mhpx-3rv8-wrjm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mhpx-3rv8-wrjm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51732?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4"}],"aliases":["GHSA-mhpx-3rv8-wrjm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-649h-2f2f-nbam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43823?format=json","vulnerability_id":"VCID-6fzg-den8-rqc8","summary":"Several Zend Products Vulnerable to XXE and XEE attacks\nZend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.","references":[{"reference_url":"http://advisories.mageia.org/MGASA-2014-0151.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://advisories.mageia.org/MGASA-2014-0151.html"},{"reference_url":"http://framework.zend.com/security/advisory/ZF2014-01","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2014-01"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2681","reference_id":"","reference_type":"","scores":[{"value":"0.02971","scoring_system":"epss","scoring_elements":"0.86783","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02971","scoring_system":"epss","scoring_elements":"0.86764","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02971","scoring_system":"epss","scoring_elements":"0.86786","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02971","scoring_system":"epss","scoring_elements":"0.86784","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02971","scoring_system":"epss","scoring_elements":"0.86781","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02971","scoring_system":"epss","scoring_elements":"0.86771","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2681"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154"},{"reference_url":"http://seclists.org/oss-sec/2014/q2/0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/oss-sec/2014/q2/0"},{"reference_url":"https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"},{"reference_url":"https://web.archive.org/web/20210125095213/http://www.securityfocus.com/bid/66358","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210125095213/http://www.securityfocus.com/bid/66358"},{"reference_url":"http://www.debian.org/security/2015/dsa-3265","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3265"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2681","reference_id":"CVE-2014-2681","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2681"},{"reference_url":"https://github.com/advisories/GHSA-43xg-87xw-jpv8","reference_id":"GHSA-43xg-87xw-jpv8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-43xg-87xw-jpv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51732?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4"}],"aliases":["CVE-2014-2681","GHSA-43xg-87xw-jpv8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6fzg-den8-rqc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37762?format=json","vulnerability_id":"VCID-6xpr-93ef-27cu","summary":"Improper Authentication\nThe (1) `Zend_Ldap` class in Zend and (2) `Zend\u2028dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.","references":[{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141070.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141070.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-8088","reference_id":"","reference_type":"","scores":[{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70121","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70101","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70145","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70133","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70151","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70142","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-8088"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/97038","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/97038"},{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-05","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2014-05"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2014-8088.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2014-8088.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2014-8088.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2014-8088.yaml"},{"reference_url":"https://github.com/zendframework/zendframework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zendframework"},{"reference_url":"https://github.com/zendframework/zendframework/commit/a4222a6c1dc809f0f32fdafcd1ac4d583a075f2f","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zendframework/commit/a4222a6c1dc809f0f32fdafcd1ac4d583a075f2f"},{"reference_url":"http://www.debian.org/security/2015/dsa-3265","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3265"},{"reference_url":"http://www.openwall.com/lists/oss-security/2014/10/10/5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2014/10/10/5"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"},{"reference_url":"http://www.securityfocus.com/bid/70378","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/70378"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-8088","reference_id":"CVE-2014-8088","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-8088"},{"reference_url":"https://github.com/advisories/GHSA-f6rc-rh43-h8gr","reference_id":"GHSA-f6rc-rh43-h8gr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6rc-rh43-h8gr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51974?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.9"}],"aliases":["CVE-2014-8088","GHSA-f6rc-rh43-h8gr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6xpr-93ef-27cu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37948?format=json","vulnerability_id":"VCID-8atm-865q-mkf3","summary":"Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\\Captcha\\Word`.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2015-09"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52407?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.17"}],"aliases":["ZF2015-09"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8atm-865q-mkf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55300?format=json","vulnerability_id":"VCID-9bm9-b48z-zqcm","summary":"ZendFramework1 Potential SQL injection in the ORDER implementation of Zend_Db_Select\nThe implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses.\n\nFor instance, the following code is affected by this issue:\n```\n$db     = Zend_Db::factory( /* options here */ );\n$select = $db->select()\n->from(array('p' => 'products'))\n->order('MD5(1); drop table products');\necho $select;\n```\nThis code produce the string:\n```\nSELECT \"p\".* FROM \"products\" AS \"p\" ORDER BY MD5(1);drop table products ASC\n```\ninstead of the correct one:\n```\nSELECT \"p\".* FROM \"products\" AS \"p\" ORDER BY \"MD5(1);drop table products\" ASC\n```\nThe SQL injection occurs because we create a new Zend_Db_Expr() object, in presence of parentheses, passing directly the value without any filter on the string.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-04","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2014-04"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-04.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-04.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-2x36-qhx3-7m5f","reference_id":"GHSA-2x36-qhx3-7m5f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2x36-qhx3-7m5f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51887?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.7"}],"aliases":["GHSA-2x36-qhx3-7m5f"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9bm9-b48z-zqcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37705?format=json","vulnerability_id":"VCID-a72a-7k6u-rqgr","summary":"SQL Injection\nPotential SQL injection in the ORDER implementation of `Zend_Db_Select`.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-04","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2014-04"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51887?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.7"}],"aliases":["ZF2014-04"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a72a-7k6u-rqgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37636?format=json","vulnerability_id":"VCID-afnn-53q5-wqft","summary":"Improper Authentication\nPotential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-02","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2014-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51732?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4"}],"aliases":["ZF2014-02"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-afnn-53q5-wqft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55331?format=json","vulnerability_id":"VCID-b1da-n1u7-43hj","summary":"ZendFramework1 Potential Insufficient Entropy Vulnerability\nWe discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls:\n```\nZend_Ldap_Attribute::createPassword\nZend_Form_Element_Hash::_generateHash\nZend_Gdata_HttpClient::filterHttpRequest\nZend_Filter_Encrypt_Mcrypt::_srand\nZend_OpenId::randomBytes\n```\nIn each case, the methods were using rand() or mt_rand(), neither of which can generate cryptographically secure values. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.\n\nMoreover, we discovered a potential security issue in the usage of the [openssl_random_pseudo_bytes()](http://php.net/manual/en/function.openssl-random-pseudo-bytes.php) function in Zend_Crypt_Math::randBytes, reported in PHP BUG [#70014](https://bugs.php.net/bug.php?id=70014), and the security implications reported in a discussion [on the random_compat library.](https://github.com/paragonie/random_compat/issues/96)","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2016-01","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2016-01"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2016-01.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2016-01.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-8xhv-gqm4-3w99","reference_id":"GHSA-8xhv-gqm4-3w99","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xhv-gqm4-3w99"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52645?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-rc3w-5r97-k3b3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.18"}],"aliases":["GHSA-8xhv-gqm4-3w99"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b1da-n1u7-43hj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38482?format=json","vulnerability_id":"VCID-bjvu-jg9w-mqdd","summary":"SQL Injection\nThe (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern `[\\w]*` in a regular expression.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6233","reference_id":"","reference_type":"","scores":[{"value":"0.01724","scoring_system":"epss","scoring_elements":"0.82763","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01724","scoring_system":"epss","scoring_elements":"0.82791","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01724","scoring_system":"epss","scoring_elements":"0.82778","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01724","scoring_system":"epss","scoring_elements":"0.82785","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01724","scoring_system":"epss","scoring_elements":"0.82787","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01724","scoring_system":"epss","scoring_elements":"0.82788","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6233"},{"reference_url":"https://framework.zend.com/security/advisory/ZF2016-02","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2016-02"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2016-6233.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2016-6233.yaml"},{"reference_url":"https://github.com/zendframework/zendframework","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zendframework"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/"},{"reference_url":"https://security.gentoo.org/glsa/201804-10","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/201804-10"},{"reference_url":"https://web.archive.org/web/20210123152547/http://www.securityfocus.com/bid/91802","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210123152547/http://www.securityfocus.com/bid/91802"},{"reference_url":"http://www.securityfocus.com/bid/91802","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/91802"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6233","reference_id":"CVE-2016-6233","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6233"},{"reference_url":"https://github.com/advisories/GHSA-p9hp-3gpv-52w3","reference_id":"GHSA-p9hp-3gpv-52w3","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p9hp-3gpv-52w3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52823?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-rc3w-5r97-k3b3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.19"}],"aliases":["CVE-2016-6233","GHSA-p9hp-3gpv-52w3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bjvu-jg9w-mqdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55290?format=json","vulnerability_id":"VCID-c8kp-n8m3-2khe","summary":"Zendframework1 Potential SQL injection in ORDER and GROUP functions\nThe implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur.\n\nThe implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection:\n```\n$db = Zend_Db::factory(/* options here */);\n$select = new Zend_Db_Select($db);\n$select->from('p');\n$select->order(\"MD5(\\\"a(\\\");DELETE FROM p2; #)\"); // same with group()\n```\nThe above $select will render the following SQL statement:\n```\nSELECT `p`.* FROM `p` ORDER BY MD5(\"a(\");DELETE FROM p2; #) ASC\n```\ninstead of the correct one:\n```\nSELECT \"p\".* FROM \"p\" ORDER BY \"MD5(\"\"a(\"\");DELETE FROM p2; #)\" ASC\n```\nThis security fix can be considered an improvement of the previous ZF2016-02 and ZF2014-04 advisories.\n\nAs a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking Zend_Db. You can use the Zend_Db_Select::quoteInto() method to filter the input data, as shown in this example:\n```\n$db    = Zend_Db::factory(...);\n$input = \"MD5(\\\"a(\\\");DELETE FROM p2; #)\"; // user input can be an attack\n$order = $db->quoteInto(\"SQL statement for ORDER\", $input);\n\n$select = new Zend_Db_Select($db);\n$select->from('p');\n$select->order($order); // same with group()\n```","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2016-03","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2016-03"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2016-03.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2016-03.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-6fqw-j3vm-7f66","reference_id":"GHSA-6fqw-j3vm-7f66","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6fqw-j3vm-7f66"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52880?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.20"}],"aliases":["GHSA-6fqw-j3vm-7f66"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c8kp-n8m3-2khe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55284?format=json","vulnerability_id":"VCID-e9ut-smfp-7yb4","summary":"Zendframework potential security issue in login mechanism\nUsing the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.\n\nMoreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-02","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2014-02"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-02.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-02.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-9v78-h226-2rmq","reference_id":"GHSA-9v78-h226-2rmq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9v78-h226-2rmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51732?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4"}],"aliases":["GHSA-9v78-h226-2rmq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e9ut-smfp-7yb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37640?format=json","vulnerability_id":"VCID-grk8-aj34-hqb4","summary":"Improper Restriction of XML External Entity Reference\nPotential XXE/XEE attacks using PHP functions: `simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-01","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2014-01"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51732?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4"}],"aliases":["ZF2014-01"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-grk8-aj34-hqb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55292?format=json","vulnerability_id":"VCID-h5yf-ahec-gbgx","summary":"Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability\nIn Zend Framework, Zend_Captcha_Word (v1) and Zend\\Captcha\\Word (v2) generate a \"word\" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2015-09"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2015-09.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2015-09.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-848f-mph5-9pm9","reference_id":"GHSA-848f-mph5-9pm9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-848f-mph5-9pm9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52407?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.17"}],"aliases":["GHSA-848f-mph5-9pm9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5yf-ahec-gbgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38088?format=json","vulnerability_id":"VCID-n2gy-93nd-gber","summary":"Potential Insufficient Entropy Vulnerability in ZF1.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2016-01","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2016-01"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52645?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-rc3w-5r97-k3b3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.18"}],"aliases":["ZF2016-01"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n2gy-93nd-gber"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37904?format=json","vulnerability_id":"VCID-njsg-e1w1-9qcy","summary":"XXE/XEE vulnerability via multibyte payloads\nThere's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.","references":[{"reference_url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161","reference_id":"","reference_type":"","scores":[],"url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161"},{"reference_url":"http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html"},{"reference_url":"http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-5161","reference_id":"","reference_type":"","scores":[{"value":"0.39093","scoring_system":"epss","scoring_elements":"0.97364","published_at":"2026-06-09T12:55:00Z"},{"value":"0.39093","scoring_system":"epss","scoring_elements":"0.97355","published_at":"2026-06-04T12:55:00Z"},{"value":"0.39093","scoring_system":"epss","scoring_elements":"0.9736","published_at":"2026-06-05T12:55:00Z"},{"value":"0.39093","scoring_system":"epss","scoring_elements":"0.97361","published_at":"2026-06-06T12:55:00Z"},{"value":"0.39093","scoring_system":"epss","scoring_elements":"0.97362","published_at":"2026-06-07T12:55:00Z"},{"value":"0.39093","scoring_system":"epss","scoring_elements":"0.97363","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-5161"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161"},{"reference_url":"http://seclists.org/fulldisclosure/2015/Aug/46","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2015/Aug/46"},{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-06","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2015-06"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml"},{"reference_url":"https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532"},{"reference_url":"https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b"},{"reference_url":"https://github.com/zendframework/zf1/issues/393","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1/issues/393"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5161","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5161"},{"reference_url":"https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177"},{"reference_url":"https://www.exploit-db.com/exploits/37765","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/37765"},{"reference_url":"https://www.exploit-db.com/exploits/37765/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/37765/"},{"reference_url":"http://www.debian.org/security/2015/dsa-3340","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3340"},{"reference_url":"http://www.securityfocus.com/bid/76177","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/76177"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/37765.txt","reference_id":"CVE-2015-5161","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/37765.txt"},{"reference_url":"http://framework.zend.com/security/advisory/ZF2015-06","reference_id":"CVE-2015-5161;OSVDB-125783","reference_type":"exploit","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2015-06"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/38573.txt","reference_id":"CVE-2015-5161;OSVDB-125783","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/38573.txt"},{"reference_url":"https://github.com/advisories/GHSA-xp8p-9rq5-4wgv","reference_id":"GHSA-xp8p-9rq5-4wgv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xp8p-9rq5-4wgv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52357?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.14"}],"aliases":["CVE-2015-5161","GHSA-xp8p-9rq5-4wgv"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-njsg-e1w1-9qcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55312?format=json","vulnerability_id":"VCID-ps73-776n-zffn","summary":"Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)\nThe PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.\n\nWe tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-08","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2015-08"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2015-08.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2015-08.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-v42g-7q2x-cw32","reference_id":"GHSA-v42g-7q2x-cw32","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v42g-7q2x-cw32"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52374?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.16"}],"aliases":["GHSA-v42g-7q2x-cw32"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ps73-776n-zffn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37953?format=json","vulnerability_id":"VCID-q73m-16a9-rkgx","summary":"Potential Information Disclosure and Insufficient Entropy in Zend\\Captcha\\Word\nZend generates a \"word\" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2015-09","reference_id":"","reference_type":"","scores":[],"url":"http://framework.zend.com/security/advisory/ZF2015-09"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52407?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.17"}],"aliases":["GMS-2015-49"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q73m-16a9-rkgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38135?format=json","vulnerability_id":"VCID-q74z-645k-c7dk","summary":"Security Misconfiguration Vulnerability\nDoctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2015-07","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2015-07"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-5723","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.1024","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10193","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10216","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10261","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10281","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10157","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-5723"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7695","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7695"},{"reference_url":"https://framework.zend.com/security/advisory/ZF2015-07","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2015-07"},{"reference_url":"https://github.com/aws/aws-sdk-php/releases/tag/3.2.1","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/aws-sdk-php/releases/tag/3.2.1"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/aws/aws-sdk-php/CVE-2015-5723.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/aws/aws-sdk-php/CVE-2015-5723.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/cache/CVE-2015-5723.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/cache/CVE-2015-5723.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/orm/CVE-2015-5723.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/orm/CVE-2015-5723.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-cache/CVE-2015-5723.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-cache/CVE-2015-5723.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5723.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5723.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5723.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5723.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zfcampus/zf-apigility-doctrine/CVE-2015-5723.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zfcampus/zf-apigility-doctrine/CVE-2015-5723.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5723","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5723"},{"reference_url":"https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"},{"reference_url":"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5723","reference_id":"","reference_type":"","scores":[],"url":"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5723"},{"reference_url":"http://www.debian.org/security/2015/dsa-3369","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3369"},{"reference_url":"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"},{"reference_url":"https://github.com/advisories/GHSA-pw5c-xqf2-6xc2","reference_id":"GHSA-pw5c-xqf2-6xc2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pw5c-xqf2-6xc2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52374?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.16"}],"aliases":["CVE-2015-5723","GHSA-pw5c-xqf2-6xc2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q74z-645k-c7dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37751?format=json","vulnerability_id":"VCID-r5y8-nc2w-kqde","summary":"SQL Injection\nSQL injection vector when manually quoting values for `sqlsrv` extension, using null byte.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2014-06","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2014-06"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-8089","reference_id":"","reference_type":"","scores":[{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78619","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78587","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78615","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78623","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78613","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78602","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-8089"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1151277","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1151277"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154"},{"reference_url":"http://seclists.org/oss-sec/2014/q4/276","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/oss-sec/2014/q4/276"},{"reference_url":"https://framework.zend.com/security/advisory/ZF2014-06","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2014-06"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-db/CVE-2014-8089.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-db/CVE-2014-8089.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2014-8089.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2014-8089.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2014-8089.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2014-8089.yaml"},{"reference_url":"http://www.securityfocus.com/bid/70011","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/70011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-8089","reference_id":"CVE-2014-8089","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-8089"},{"reference_url":"https://github.com/advisories/GHSA-qh9w-r7g5-q939","reference_id":"GHSA-qh9w-r7g5-q939","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qh9w-r7g5-q939"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51974?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.9"}],"aliases":["CVE-2014-8089","GHSA-qh9w-r7g5-q939"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r5y8-nc2w-kqde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38208?format=json","vulnerability_id":"VCID-rc3w-5r97-k3b3","summary":"Potential SQL injection in ORDER and GROUP functions\nThe implementation of ORDER BY and GROUP BY in `Zend_Db_Select` is prone to SQL injection when a combination of SQL expressions and comments are used.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2016-03","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2016-03"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52880?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.20"}],"aliases":["ZF2016-03"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rc3w-5r97-k3b3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38087?format=json","vulnerability_id":"VCID-sjw9-2fwe-5ybg","summary":"Potential Insufficient Entropy\nThere are several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. Moreover, there's a potential security issue in the usage of the `openssl_random_pseudo_bytes()` function in `Zend_Crypt_Math::randBytes`, reported in PHP BUG #70014, and the security implications reported in a discussion on the `random_compat` library.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2016-01","reference_id":"","reference_type":"","scores":[],"url":"http://framework.zend.com/security/advisory/ZF2016-01"},{"reference_url":"https://bugs.php.net/bug.php?id=70014","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.php.net/bug.php?id=70014"},{"reference_url":"https://github.com/paragonie/random_compat/issues/96","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paragonie/random_compat/issues/96"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52645?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-rc3w-5r97-k3b3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.18"}],"aliases":["ZF2016-11"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sjw9-2fwe-5ybg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43794?format=json","vulnerability_id":"VCID-tpdc-c3mz-zyd2","summary":"Several Zend Products Vulnerable to XXE and XEE attacks\nZend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.","references":[{"reference_url":"http://advisories.mageia.org/MGASA-2014-0151.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://advisories.mageia.org/MGASA-2014-0151.html"},{"reference_url":"http://framework.zend.com/security/advisory/ZF2014-01","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2014-01"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2682","reference_id":"","reference_type":"","scores":[{"value":"0.01826","scoring_system":"epss","scoring_elements":"0.83266","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01826","scoring_system":"epss","scoring_elements":"0.83237","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01826","scoring_system":"epss","scoring_elements":"0.83263","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01826","scoring_system":"epss","scoring_elements":"0.83264","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01826","scoring_system":"epss","scoring_elements":"0.8326","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01826","scoring_system":"epss","scoring_elements":"0.83253","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154"},{"reference_url":"http://seclists.org/oss-sec/2014/q2/0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/oss-sec/2014/q2/0"},{"reference_url":"https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358"},{"reference_url":"https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"},{"reference_url":"http://www.debian.org/security/2015/dsa-3265","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3265"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2682","reference_id":"CVE-2014-2682","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2682"},{"reference_url":"https://github.com/advisories/GHSA-gp39-h9c2-qw79","reference_id":"GHSA-gp39-h9c2-qw79","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp39-h9c2-qw79"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51732?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4"}],"aliases":["CVE-2014-2682","GHSA-gp39-h9c2-qw79"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tpdc-c3mz-zyd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38136?format=json","vulnerability_id":"VCID-uvgx-4m6v-2bg7","summary":"SQL injection vector using null byte for PDO\nThe PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2015-08","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2015-08"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7695","reference_id":"","reference_type":"","scores":[{"value":"0.02248","scoring_system":"epss","scoring_elements":"0.84895","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02248","scoring_system":"epss","scoring_elements":"0.84906","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02248","scoring_system":"epss","scoring_elements":"0.8491","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02248","scoring_system":"epss","scoring_elements":"0.84911","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02248","scoring_system":"epss","scoring_elements":"0.84884","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02248","scoring_system":"epss","scoring_elements":"0.84905","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7695"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7695","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7695"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7695","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7695"},{"reference_url":"http://www.debian.org/security/2015/dsa-3369","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3369"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/09/30/6","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/09/30/6"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/09/30/8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/09/30/8"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/10/11/3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/10/11/3"},{"reference_url":"http://www.securityfocus.com/bid/76784","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/76784"},{"reference_url":"https://github.com/advisories/GHSA-2hvh-c5c2-vj85","reference_id":"GHSA-2hvh-c5c2-vj85","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2hvh-c5c2-vj85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52374?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.16"}],"aliases":["CVE-2015-7695","GHSA-2hvh-c5c2-vj85"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uvgx-4m6v-2bg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43800?format=json","vulnerability_id":"VCID-wkkp-82dc-huhr","summary":"Several Zend Products Vulnerable to XXE and XEE attacks\nZend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.","references":[{"reference_url":"http://advisories.mageia.org/MGASA-2014-0151.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://advisories.mageia.org/MGASA-2014-0151.html"},{"reference_url":"http://framework.zend.com/security/advisory/ZF2014-01","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2014-01"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2683","reference_id":"","reference_type":"","scores":[{"value":"0.02558","scoring_system":"epss","scoring_elements":"0.85804","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02558","scoring_system":"epss","scoring_elements":"0.85784","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02558","scoring_system":"epss","scoring_elements":"0.85806","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02558","scoring_system":"epss","scoring_elements":"0.85809","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02558","scoring_system":"epss","scoring_elements":"0.85805","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02558","scoring_system":"epss","scoring_elements":"0.8579","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2683"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154"},{"reference_url":"http://seclists.org/oss-sec/2014/q2/0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/oss-sec/2014/q2/0"},{"reference_url":"https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358"},{"reference_url":"https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"},{"reference_url":"http://www.debian.org/security/2015/dsa-3265","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3265"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2683","reference_id":"CVE-2014-2683","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2683"},{"reference_url":"https://github.com/advisories/GHSA-5wm2-38q5-5rxv","reference_id":"GHSA-5wm2-38q5-5rxv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5wm2-38q5-5rxv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51732?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4"}],"aliases":["CVE-2014-2683","GHSA-5wm2-38q5-5rxv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wkkp-82dc-huhr"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37473?format=json","vulnerability_id":"VCID-cp1a-fprd-9fhk","summary":"Improper Restriction of XML External Entity Reference\nPotential XML eXternal Entity injection vectors in Zend Framework 1 `Zend_Feed` component.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2012-05","reference_id":"","reference_type":"","scores":[],"url":"https://framework.zend.com/security/advisory/ZF2012-05"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51343?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-649h-2f2f-nbam"},{"vulnerability":"VCID-6fzg-den8-rqc8"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-afnn-53q5-wqft"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-e9ut-smfp-7yb4"},{"vulnerability":"VCID-grk8-aj34-hqb4"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-tpdc-c3mz-zyd2"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"},{"vulnerability":"VCID-wkkp-82dc-huhr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.1"}],"aliases":["ZF2012-05"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cp1a-fprd-9fhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55272?format=json","vulnerability_id":"VCID-j5kg-jzxz-ruam","summary":"ZendFramework potential XML eXternal Entity injection vectors\n`Zend_Feed_Rss` and `Zend_Feed_Atom` were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.\n\nA similar issue was fixed for 1.11.13 and 1.12.0, in the `Zend_Feed::import()` factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.","references":[{"reference_url":"https://framework.zend.com/security/advisory/ZF2012-05","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://framework.zend.com/security/advisory/ZF2012-05"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-05.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-05.yaml"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/advisories/GHSA-4j9x-g4x8-vcmf","reference_id":"GHSA-4j9x-g4x8-vcmf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4j9x-g4x8-vcmf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81792?format=json","purl":"pkg:composer/zendframework/zendframework1@1.11.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.11.15"},{"url":"http://public2.vulnerablecode.io/api/packages/51343?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-649h-2f2f-nbam"},{"vulnerability":"VCID-6fzg-den8-rqc8"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-afnn-53q5-wqft"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-e9ut-smfp-7yb4"},{"vulnerability":"VCID-grk8-aj34-hqb4"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-tpdc-c3mz-zyd2"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"},{"vulnerability":"VCID-wkkp-82dc-huhr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.1"}],"aliases":["GHSA-4j9x-g4x8-vcmf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j5kg-jzxz-ruam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/112405?format=json","vulnerability_id":"VCID-nsuf-xar5-f3hj","summary":"Zend Framework XXE Vulnerability\nThe (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.","references":[{"reference_url":"http://framework.zend.com/security/advisory/ZF2012-05","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://framework.zend.com/security/advisory/ZF2012-05"},{"reference_url":"http://openwall.com/lists/oss-security/2012/12/20/2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2012/12/20/2"},{"reference_url":"http://openwall.com/lists/oss-security/2012/12/20/4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://openwall.com/lists/oss-security/2012/12/20/4"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-5657","reference_id":"","reference_type":"","scores":[{"value":"0.00719","scoring_system":"epss","scoring_elements":"0.72866","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00719","scoring_system":"epss","scoring_elements":"0.72868","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00719","scoring_system":"epss","scoring_elements":"0.72844","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00719","scoring_system":"epss","scoring_elements":"0.72873","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00719","scoring_system":"epss","scoring_elements":"0.72856","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00719","scoring_system":"epss","scoring_elements":"0.72828","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-5657"},{"reference_url":"https://github.com/zendframework/zf1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1"},{"reference_url":"https://github.com/zendframework/zf1/commit/15c84914f063efea49ea1c4425459a792cc185ea","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zendframework/zf1/commit/15c84914f063efea49ea1c4425459a792cc185ea"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5657","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5657"},{"reference_url":"https://web.archive.org/web/20131101014013/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:115/?name=MDVSA-2013:115","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20131101014013/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:115/?name=MDVSA-2013:115"},{"reference_url":"http://www.debian.org/security/2012/dsa-2602","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2602"},{"reference_url":"https://github.com/advisories/GHSA-9m5v-vq4f-mrvf","reference_id":"GHSA-9m5v-vq4f-mrvf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9m5v-vq4f-mrvf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81792?format=json","purl":"pkg:composer/zendframework/zendframework1@1.11.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.11.15"},{"url":"http://public2.vulnerablecode.io/api/packages/51343?format=json","purl":"pkg:composer/zendframework/zendframework1@1.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ncq-wptr-k3ha"},{"vulnerability":"VCID-2xx4-77e9-pfbb"},{"vulnerability":"VCID-5bm4-grk6-w7hk"},{"vulnerability":"VCID-649h-2f2f-nbam"},{"vulnerability":"VCID-6fzg-den8-rqc8"},{"vulnerability":"VCID-6xpr-93ef-27cu"},{"vulnerability":"VCID-8atm-865q-mkf3"},{"vulnerability":"VCID-9bm9-b48z-zqcm"},{"vulnerability":"VCID-a72a-7k6u-rqgr"},{"vulnerability":"VCID-afnn-53q5-wqft"},{"vulnerability":"VCID-b1da-n1u7-43hj"},{"vulnerability":"VCID-bjvu-jg9w-mqdd"},{"vulnerability":"VCID-c8kp-n8m3-2khe"},{"vulnerability":"VCID-e9ut-smfp-7yb4"},{"vulnerability":"VCID-grk8-aj34-hqb4"},{"vulnerability":"VCID-h5yf-ahec-gbgx"},{"vulnerability":"VCID-n2gy-93nd-gber"},{"vulnerability":"VCID-njsg-e1w1-9qcy"},{"vulnerability":"VCID-ps73-776n-zffn"},{"vulnerability":"VCID-q73m-16a9-rkgx"},{"vulnerability":"VCID-q74z-645k-c7dk"},{"vulnerability":"VCID-r5y8-nc2w-kqde"},{"vulnerability":"VCID-rc3w-5r97-k3b3"},{"vulnerability":"VCID-sjw9-2fwe-5ybg"},{"vulnerability":"VCID-tpdc-c3mz-zyd2"},{"vulnerability":"VCID-uvgx-4m6v-2bg7"},{"vulnerability":"VCID-wkkp-82dc-huhr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.1"}],"aliases":["CVE-2012-5657","GHSA-9m5v-vq4f-mrvf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nsuf-xar5-f3hj"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.1"}