VulnerableCode Package Details - pkg:composer/zendframework/zendframework@2.5.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-8fwb-56kb-jubf Aliases: CVE-2015-7503	Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.	2.5.2 Affected by 0 other vulnerabilities.
VCID-njsg-e1w1-9qcy Aliases: CVE-2015-5161	XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.	2.5.2 Affected by 0 other vulnerabilities.
VCID-vmut-b2y4-rkcp Aliases: GMS-2015-48	Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.	2.5.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-8fwb-56kb-jubf
Aliases:
CVE-2015-7503

Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.

2.5.2
Affected by 0 other vulnerabilities.

VCID-njsg-e1w1-9qcy
Aliases:
CVE-2015-5161

XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

2.5.2
Affected by 0 other vulnerabilities.

VCID-vmut-b2y4-rkcp
Aliases:
GMS-2015-48

Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

2.5.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-wz4g-j8zt-ruff	URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability.	ZF2018-01

Vulnerability

Summary

Aliases

VCID-wz4g-j8zt-ruff

URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability.

ZF2018-01

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:37:53.808362+00:00	GitLab Importer	Fixing	VCID-wz4g-j8zt-ruff	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2018-01.yml	38.6.0
2026-06-02T04:37:11.138497+00:00	GitLab Importer	Affected by	VCID-8fwb-56kb-jubf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-7503.yml	38.6.0
2026-06-02T04:36:27.257498+00:00	GitLab Importer	Affected by	VCID-vmut-b2y4-rkcp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/GMS-2015-48.yml	38.6.0
2026-06-02T04:36:25.441633+00:00	GitLab Importer	Affected by	VCID-njsg-e1w1-9qcy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-5161.yml	38.6.0