Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Max CVSS
9.8
EPSS Score
3.15%
Published
2021-01-04
Updated
2024-03-21
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function.
Max CVSS
9.8
EPSS Score
0.47%
Published
2023-04-04
Updated
2023-04-10
lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests.
Max CVSS
9.8
EPSS Score
0.22%
Published
2020-03-24
Updated
2020-03-27
ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality.
Max CVSS
8.8
EPSS Score
0.07%
Published
2020-03-24
Updated
2020-03-27

CVE-2016-10034

Public exploit
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
Max CVSS
9.8
EPSS Score
96.41%
Published
2016-12-30
Updated
2018-10-21
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.
Max CVSS
9.8
EPSS Score
1.92%
Published
2017-02-17
Updated
2018-10-21
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
Max CVSS
9.8
EPSS Score
0.90%
Published
2017-02-17
Updated
2018-10-21
The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.
Max CVSS
9.8
EPSS Score
1.63%
Published
2016-06-07
Updated
2016-11-28
Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-06-08
Updated
2017-06-15
Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.
Max CVSS
9.1
EPSS Score
0.30%
Published
2017-08-07
Updated
2017-08-15
Zend Framework before 2.2.10 and 2.3.x before 2.3.5 has Potential SQL injection in PostgreSQL Zend\Db adapter.
Max CVSS
9.8
EPSS Score
0.14%
Published
2019-10-25
Updated
2019-10-30
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
Max CVSS
9.8
EPSS Score
0.38%
Published
2020-02-17
Updated
2020-02-20
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
Max CVSS
9.8
EPSS Score
0.52%
Published
2017-12-29
Updated
2018-01-17
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Max CVSS
9.1
EPSS Score
52.46%
Published
2013-02-13
Updated
2024-02-15
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
Max CVSS
9.8
EPSS Score
1.33%
Published
2019-11-26
Updated
2019-12-10
15 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!