Search for packages
| purl | pkg:composer/zendframework/zendframework@2.2.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-32vp-nn7p-6ubz
Aliases: CVE-2015-5161 GHSA-xp8p-9rq5-4wgv |
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-54fv-3h1e-jkc2
Aliases: GHSA-xffp-6w68-4775 |
Zendframework Remote Address Spoofing Vector in `Zend\Http\PhpEnvironment\RemoteAddress` |
Affected by 19 other vulnerabilities. |
|
VCID-5vu7-szck-9qay
Aliases: ZF2016-04 |
Remote code execution in zend-mail via Sendmail adapter A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-5vu8-msgg-uqa5
Aliases: GMS-2015-48 |
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8qw1-c6ps-87gr
Aliases: GHSA-62f6-h68r-3jpw |
Zendframework session validation vulnerability |
Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-9f4w-2ekz-9qdj
Aliases: CVE-2014-8088 GHSA-f6rc-rh43-h8gr |
Improper Authentication The (1) `Zend_Ldap` class in Zend and (2) `Zend
dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. |
Affected by 13 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-b65y-s3xq-gbhk
Aliases: GHSA-8q77-cv62-jj38 |
Zendframework has potential Cross-site Scripting vector in multiple view helpers |
Affected by 15 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-cbcv-76c1-83fd
Aliases: GHSA-fh7r-58q4-6387 |
Zendframework URL Rewrite vulnerability |
Affected by 3 other vulnerabilities. |
|
VCID-ehec-uwtf-ebd6
Aliases: ZF2015-01 |
Session Fixation Session validation vulnerability. |
Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-ern1-u894-4ubj
Aliases: ZF2018-01 |
URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-gakp-8kf1-byg4
Aliases: ZF2015-09 |
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-m522-m798-wff9
Aliases: CVE-2014-8089 GHSA-qh9w-r7g5-q939 |
SQL Injection SQL injection vector when manually quoting values for `sqlsrv` extension, using null byte. |
Affected by 13 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-m9fb-uwg4-k7dj
Aliases: CVE-2015-0270 GHSA-v59p-p692-v382 |
Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
|
VCID-pt1n-7yfb-a7d4
Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2 |
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
Affected by 8 other vulnerabilities. |
|
VCID-rbms-evwg-27fv
Aliases: GHSA-qc7w-4567-84wv |
Zendframework vulnerable to XXE/XEE attacks |
Affected by 16 other vulnerabilities. |
|
VCID-rfxg-rjxa-2ya4
Aliases: GHSA-gff2-p6vm-3p8g |
ZendFramework potential remote code execution in zend-mail via Sendmail adapter |
Affected by 2 other vulnerabilities. |
|
VCID-skyf-p5pm-7ybp
Aliases: CVE-2015-7503 GHSA-pm9m-w23q-5967 |
Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-um3k-ycae-vkdw
Aliases: ZF2013-04 |
Information Exposure Potential Remote Address Spoofing Vector in `Zend\Http\PhpEnvironment\RemoteAddress`. |
Affected by 19 other vulnerabilities. |
|
VCID-up66-v9k6-wyhz
Aliases: ZF2014-01 |
Improper Restriction of XML External Entity Reference Potential XXE/XEE attacks using PHP functions: `simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`. |
Affected by 16 other vulnerabilities. |
|
VCID-uzrf-qjjv-gkcx
Aliases: ZF2014-03 |
Cross-site Scripting Potential XSS vector in multiple view helpers. |
Affected by 15 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-xzuu-fk13-2qa1
Aliases: GHSA-2fhr-8r8r-qp56 |
ZendFramework Information Disclosure and Insufficient Entropy vulnerability |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||