VulnerableCode Package Details - pkg:composer/zendframework/zendframework@2.4.7

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/zendframework/zendframework@2.4.7

Essentials
History (6)

purl	pkg:composer/zendframework/zendframework@2.4.7

Next non-vulnerable version	2.5.2
Latest non-vulnerable version	2.5.2
Risk

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-5vu7-szck-9qay Aliases: ZF2016-04	Remote code execution in zend-mail via Sendmail adapter A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.	2.4.11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.5.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-5vu8-msgg-uqa5 Aliases: GMS-2015-48	Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.	2.4.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.5.2 Affected by 0 other vulnerabilities.
VCID-ern1-u894-4ubj Aliases: ZF2018-01	URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability.	2.5.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gakp-8kf1-byg4 Aliases: ZF2015-09	Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`.	2.4.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.5.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-pt1n-7yfb-a7d4 Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2	Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of	2.4.8 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-skyf-p5pm-7ybp Aliases: CVE-2015-7503 GHSA-pm9m-w23q-5967	Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.	2.4.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.5.2 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T09:47:01.823110+00:00	GitLab Importer	Affected by	VCID-ern1-u894-4ubj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2018-01.yml	38.6.0
2026-05-31T09:40:56.981662+00:00	GitLab Importer	Affected by	VCID-skyf-p5pm-7ybp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-7503.yml	38.6.0
2026-05-31T09:36:49.959029+00:00	GitLab Importer	Affected by	VCID-5vu7-szck-9qay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2016-04.yml	38.6.0
2026-05-31T09:35:43.656402+00:00	GitLab Importer	Affected by	VCID-pt1n-7yfb-a7d4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-5723.yml	38.6.0
2026-05-31T09:34:41.136278+00:00	GitLab Importer	Affected by	VCID-5vu8-msgg-uqa5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/GMS-2015-48.yml	38.6.0
2026-05-31T09:34:40.034808+00:00	GitLab Importer	Affected by	VCID-gakp-8kf1-byg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2015-09.yml	38.6.0