Security Advisories - zendframework/zendframework

zendframework/zendframework Security Advisories for 2.3.2 (12)

[CRITICAL] Remote code execution in zendframework and laminas-http

PKSA-9gb9-jn3z-tytw CVE-2021-3007 GHSA-xx8f-qf9f-5fgw

Affected version: <=3.0.0

Reported by:
GitHub
URL Rewrite vulnerability

PKSA-z1tz-rmmp-kgkw

Affected version: <2.5.0

Reported by:
FriendsOfPHP/security-advisories
Potential remote code execution in zend-mail via Sendmail adapter

PKSA-n4jn-zfz3-4hxy

Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.4.11

Reported by:
FriendsOfPHP/security-advisories
Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word

PKSA-5jbd-wvkt-7qnp

Affected version: >=2.0.0,<2.4.9

Reported by:
FriendsOfPHP/security-advisories
[HIGH] Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey

PKSA-xx58-19nw-1zf8 CVE-2015-7503 GHSA-pm9m-w23q-5967

Affected version: >=2.0.0,<2.4.9

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] XXE/XEE vector when using ZendXml on multibyte payloads

PKSA-zb12-j4m8-9hsy CVE-2015-5161 GHSA-xp8p-9rq5-4wgv

Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.99|>=2.3.0,<2.3.8|>=2.4.0,<2.4.6|>=2.5.0,<2.5.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Potential CRLF injection attacks in mail and HTTP headers

PKSA-497z-pn7r-9vxp CVE-2015-3154 GHSA-5957-5crx-79jx

Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.3.0,<2.3.8|>=2.4.0,<2.4.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Invalid CSRF validation of null or incorrectly formatted token identifiers

PKSA-276y-7fb9-m4j6 CVE-2015-1786 GHSA-gwwq-54qp-9pgp

Affected version: >=2.3.0,<2.3.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Potential SQL injection in PostgreSQL Zend\Db adapter

PKSA-hhrr-1j3s-z7ms CVE-2015-0270 GHSA-v59p-p692-v382

Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.10|>=2.3.0,<2.3.5

Reported by:
GitHub, FriendsOfPHP/security-advisories
Session validation vulnerability

PKSA-7cvs-sc1c-cky4

Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.9|>=2.3.0,<2.3.4

Reported by:
FriendsOfPHP/security-advisories
[MEDIUM] Anonymous authentication in ldap_bind() function of PHP, using null byte

PKSA-3q2t-qm4h-6vbd CVE-2014-8088 GHSA-f6rc-rh43-h8gr

Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.8|>=2.3.0,<2.3.3

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] SQL injection vector when manually quoting values for sqlsrv extension, using null byte

PKSA-h3c9-mp2p-z2zh CVE-2014-8089 GHSA-qh9w-r7g5-q939

Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.8|>=2.3.0,<2.3.3

Reported by:
GitHub, FriendsOfPHP/security-advisories

zendframework/zendframework Security Advisories for 2.3.2 (12)

[CRITICAL] Remote code execution in zendframework and laminas-http

URL Rewrite vulnerability

Potential remote code execution in zend-mail via Sendmail adapter

Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word

[HIGH] Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey

[MEDIUM] XXE/XEE vector when using ZendXml on multibyte payloads

[MEDIUM] Potential CRLF injection attacks in mail and HTTP headers

[HIGH] Invalid CSRF validation of null or incorrectly formatted token identifiers

[CRITICAL] Potential SQL injection in PostgreSQL Zend\Db adapter

Session validation vulnerability

[MEDIUM] Anonymous authentication in ldap_bind() function of PHP, using null byte

[CRITICAL] SQL injection vector when manually quoting values for sqlsrv extension, using null byte