Security Advisories - zendframework/zendframework1

zendframework/zendframework1 Security Advisories (34)

[MEDIUM] Zend Framework XEE Vulnerability

PKSA-9v57-gxnf-ggq8 CVE-2012-6531 GHSA-h5p3-7mg6-hgj4

Affected version: >=1.12.0-rc1,<1.12.0|>=1.0,<1.11.13

Reported by:
GitHub
[MEDIUM] Zend Framework XXE Vulnerability

PKSA-6k49-tm57-6c4z CVE-2012-5657 GHSA-9m5v-vq4f-mrvf

Affected version: >=1.12.0-rc1,<1.12.1|<1.11.15

Reported by:
GitHub
[MEDIUM] Zend Framework XEE Vulnerability

PKSA-4cn5-143w-bwh1 CVE-2012-6532 GHSA-jh4x-4wmf-67pr

Affected version: >=1.12.0-rc1,<1.12.0|>=1.0,<1.11.13

Reported by:
GitHub
[HIGH] Zend Framework XXE Vulnerability

PKSA-9336-p9y5-q64w CVE-2012-3363 GHSA-7pg4-5233-82jv

Affected version: >=1.0.0,<1.11.12|>=1.12.0-rc1,<1.12.0

Reported by:
GitHub
[CRITICAL] Zend Framework SQL injection vector using null byte for PDO

PKSA-4bm5-6799-t9s8 CVE-2015-7695 GHSA-2hvh-c5c2-vj85

Affected version: <1.12.16

Reported by:
GitHub
[MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks

PKSA-7tbc-4p3k-67wb CVE-2014-2683 GHSA-5wm2-38q5-5rxv

Affected version: <1.12.4

Reported by:
GitHub
[MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks

PKSA-7jnn-xn3f-kf8r CVE-2014-2682 GHSA-gp39-h9c2-qw79

Affected version: <1.12.4

Reported by:
GitHub
[MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks

PKSA-x1xp-mbsx-211w CVE-2014-2681 GHSA-43xg-87xw-jpv8

Affected version: <1.12.4

Reported by:
GitHub
[MEDIUM] Potential SQL injection in ORDER and GROUP functions of ZF1

PKSA-nfx8-h3yx-xf86 GHSA-vvm3-rv48-j3g5

Affected version: <1.12.20

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select

PKSA-8gbh-rfqt-hz91 CVE-2016-6233 GHSA-p9hp-3gpv-52w3

Affected version: <1.12.19

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Potential Insufficient Entropy Vulnerability in ZF1

PKSA-pyvt-9h93-zmzx GHSA-229x-22xc-2f2w

Affected version: >=1.12.0,<1.12.18

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word

PKSA-vxf6-mhns-kytt GHSA-mhpx-3rv8-wrjm

Affected version: >=1.12.0,<1.12.17

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Filesystem Permissions Issues in Multiple Components

PKSA-gk48-4tyq-1mz2 CVE-2015-5723 GHSA-pw5c-xqf2-6xc2

Affected version: >=1.12.0,<1.12.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Potential SQL injection vector using null byte for PDO (MsSql, SQLite)

PKSA-d2kh-9h2x-yxmw GHSA-2x36-qhx3-7m5f

Affected version: >=1.12.0,<1.12.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] XXE/XEE vector when using ZendXml on multibyte payloads

PKSA-wkm6-gzx7-1qtv CVE-2015-5161 GHSA-xp8p-9rq5-4wgv

Affected version: >=1.12.0,<1.12.14

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Potential CRLF injection attacks in mail and HTTP headers

PKSA-t57f-zdqy-25cs CVE-2015-3154 GHSA-5957-5crx-79jx

Affected version: >=1.12.0,<1.12.12

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] SQL injection vector when manually quoting values for sqlsrv extension, using null byte

PKSA-7r13-9y1m-j63k CVE-2014-8089 GHSA-qh9w-r7g5-q939

Affected version: >=1.12.0,<1.12.9

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Anonymous authentication in ldap_bind() function of PHP, using null byte

PKSA-3shc-t8pf-jqw7 CVE-2014-8088 GHSA-f6rc-rh43-h8gr

Affected version: >=1.12.0,<1.12.9

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Potential SQL injection in the ORDER implementation of Zend_Db_Select

PKSA-tvy7-8234-fpzd GHSA-qf36-fx9f-232x

Affected version: >=1.12.0,<1.12.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse

PKSA-6vg5-w5m6-1bx1 GHSA-v42g-7q2x-cw32

Affected version: >=1.12.0,<1.12.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer

PKSA-vjnw-6878-c6gh GHSA-g52p-86j5-xr8q

Affected version: >=1.12.0,<1.12.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Potential XML eXternal Entity injection vectors in Zend Framework 1 Zend_Feed component

PKSA-pg9c-q7n7-grm2 GHSA-j543-vg33-g6vj

Affected version: >=1.11.0,<1.11.15|>=1.12.0,<1.12.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Denial of Service vector via XEE injection

PKSA-85gv-59x4-jyqb GHSA-8xhv-gqm4-3w99

Affected version: >=1.0.0,<1.11.13

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Local file disclosure via XXE injection in Zend_XmlRpc

PKSA-4dxf-7w4v-7w6m GHSA-4vf6-mq7w-3hp6

Affected version: >=1.0.0,<1.11.13

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Potential XSS in Development Environment Error View Script

PKSA-yg25-w6n5-tr38 GHSA-9v78-h226-2rmq

Affected version: >=1.0.0,<1.11.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Potential SQL Injection Vector When Using PDO_MySql

PKSA-8why-wztd-t5cm GHSA-hg35-vqp3-fv39

Affected version: >=1.10.0,<1.10.9|>=1.11.0,<1.11.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Potential Security Issues in Bundled Dojo Library

PKSA-tsmz-s3cz-9ntg GHSA-gwpm-pm6x-h7rj

Affected version: >=1.9.0,<1.9.8|>=1.10.0,<1.10.3

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Potential XSS vector in Zend_Dojo_View_Helper_Editor

PKSA-yz7g-7sjm-mtdd GHSA-2jx7-xg83-j2m7

Affected version: >=1.7.0,<1.7.9|>=1.8.0,<1.8.5|>=1.9.0,<1.9.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Potential XSS vectors due to inconsistent encodings

PKSA-5kdk-hgqh-2zb8 GHSA-6fqw-j3vm-7f66

Affected version: >=1.9.0,<1.9.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Potential XSS vector in Zend_Service_ReCaptcha_MailHide

PKSA-qvyz-by69-ycpq GHSA-4v57-pwvf-x35j

Affected version: >=1.7.0,<1.7.9|>=1.8.0,<1.8.5|>=1.9.0,<1.9.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Potential Security Issues in Bundled Dojo Library

PKSA-8f4b-rwd4-yb4x GHSA-4j9x-g4x8-vcmf

Affected version: >=1.7.0,<1.7.9|>=1.8.0,<1.8.5|>=1.9.0,<1.9.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Potential XSS vector in Zend_Filter_StripTags when comments allowed

PKSA-pzj8-fsxn-4jj2 GHSA-hx3m-959f-v849

Affected version: >=1.7.0,<1.7.9|>=1.8.0,<1.8.5|>=1.9.0,<1.9.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] XSS vector in Zend_Filter_StripTags

PKSA-3bnk-phyr-4y6w GHSA-848f-mph5-9pm9

Affected version: >=1.7.0,<1.7.6

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] LFI vector in Zend_View::setScriptPath() and render()

PKSA-ry2q-88gq-kq94 GHSA-w5mj-j45q-m638

Affected version: >=1.7.0,<1.7.5

Reported by:
GitHub, FriendsOfPHP/security-advisories

zendframework/zendframework1 Security Advisories (34)

[MEDIUM] Zend Framework XEE Vulnerability

[MEDIUM] Zend Framework XXE Vulnerability

[MEDIUM] Zend Framework XEE Vulnerability

[HIGH] Zend Framework XXE Vulnerability

[CRITICAL] Zend Framework SQL injection vector using null byte for PDO

[MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks

[MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks

[MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks

[MEDIUM] Potential SQL injection in ORDER and GROUP functions of ZF1

[CRITICAL] Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select

[HIGH] Potential Insufficient Entropy Vulnerability in ZF1

[CRITICAL] Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word

[HIGH] Filesystem Permissions Issues in Multiple Components

[CRITICAL] Potential SQL injection vector using null byte for PDO (MsSql, SQLite)

[MEDIUM] XXE/XEE vector when using ZendXml on multibyte payloads

[MEDIUM] Potential CRLF injection attacks in mail and HTTP headers

[CRITICAL] SQL injection vector when manually quoting values for sqlsrv extension, using null byte

[MEDIUM] Anonymous authentication in ldap_bind() function of PHP, using null byte

[CRITICAL] Potential SQL injection in the ORDER implementation of Zend_Db_Select

[CRITICAL] Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse

[MEDIUM] Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer

[MEDIUM] Potential XML eXternal Entity injection vectors in Zend Framework 1 Zend_Feed component

[HIGH] Denial of Service vector via XEE injection

[MEDIUM] Local file disclosure via XXE injection in Zend_XmlRpc

[HIGH] Potential XSS in Development Environment Error View Script

[MEDIUM] Potential SQL Injection Vector When Using PDO_MySql

[MEDIUM] Potential Security Issues in Bundled Dojo Library

[HIGH] Potential XSS vector in Zend_Dojo_View_Helper_Editor

[CRITICAL] Potential XSS vectors due to inconsistent encodings

[MEDIUM] Potential XSS vector in Zend_Service_ReCaptcha_MailHide

[HIGH] Potential Security Issues in Bundled Dojo Library

[HIGH] Potential XSS vector in Zend_Filter_StripTags when comments allowed

[HIGH] XSS vector in Zend_Filter_StripTags

[MEDIUM] LFI vector in Zend_View::setScriptPath() and render()