VulnerableCode Package Details - pkg:composer/zendframework/zendframework1@1.0.0

Vulnerabilities affecting this package (7)

Vulnerability	Summary	Fixed by
VCID-4y4f-z31m-dqaz Aliases: ZF2011-01	Cross-Site Scripting Potential XSS in Development Environment Error View Script.	1.12.0 Affected by 19 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-bcxw-3gm9-akfv Aliases: GHSA-2jx7-xg83-j2m7	Zendframework Denial of Service vector via XEE injection `Zend_Dom`, `Zend_Feed`, `Zend_Soap`, and `Zend_XmlRpc` are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.	1.11.13 Affected by 0 other vulnerabilities.
VCID-bm9s-eke4-tfhk Aliases: ZF2012-01	Improper Restriction of XML External Entity Reference Local file disclosure via XXE injection in `Zend_XmlRpc`.	1.12.0 Affected by 19 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-f7rw-4dqp-pqgb Aliases: GHSA-229x-22xc-2f2w	Zendframework Local file disclosure via XXE injection in Zend_XmlRpc Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.	1.11.13 Affected by 0 other vulnerabilities.
VCID-nyxj-v79u-qka4 Aliases: ZF2012-02	Improper Restriction of XML External Entity Reference Denial of Service vector via XEE injection.	1.12.0 Affected by 19 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-wbb2-mubf-ukhk Aliases: CVE-2012-3363 GHSA-7pg4-5233-82jv	Zend Framework XXE Vulnerability Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.	1.11.12 Affected by 0 other vulnerabilities. 1.12.0 Affected by 19 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zjcy-kx8e-ayeq Aliases: GHSA-g52p-86j5-xr8q	ZendFramework Potential Cross-site Scripting in Development Environment Error View Script The default error handling view script generated using `Zend_Tool` failed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector. `Zend_Tool_Project_Context_Zf_ViewScriptFile` was patched such that the view script template now calls the `escape()` method on dumped request variables. Zend Framework 1.11.4 includes a patch that adds escaping to the generated error/error.phtml view script, ensuring that request variables are escaped appropriately for the browser. Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.	1.11.4 Affected by 0 other vulnerabilities.

Next non-vulnerable version	1.11.12
Latest non-vulnerable version	1.12.20
Risk

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:21:56.130260+00:00	GitLab Importer	Affected by	VCID-f7rw-4dqp-pqgb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/GHSA-229x-22xc-2f2w.yml	38.6.0
2026-06-04T16:21:55.903685+00:00	GitLab Importer	Affected by	VCID-zjcy-kx8e-ayeq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/GHSA-g52p-86j5-xr8q.yml	38.6.0
2026-06-04T16:21:55.118024+00:00	GitLab Importer	Affected by	VCID-bcxw-3gm9-akfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/GHSA-2jx7-xg83-j2m7.yml	38.6.0
2026-06-02T04:43:44.782603+00:00	GitLab Importer	Affected by	VCID-wbb2-mubf-ukhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2012-3363.yml	38.6.0
2026-06-02T04:36:06.056841+00:00	GitLab Importer	Affected by	VCID-nyxj-v79u-qka4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2012-02.yml	38.6.0
2026-06-02T04:36:05.798665+00:00	GitLab Importer	Affected by	VCID-bm9s-eke4-tfhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2012-01.yml	38.6.0
2026-06-02T04:36:05.293959+00:00	GitLab Importer	Affected by	VCID-4y4f-z31m-dqaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/ZF2011-01.yml	38.6.0