Skip to main content

Zend Framework

22 CVEs product

Monthly

CVE-2020-29312 CRITICAL Act Now

An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Zend Framework
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-3007 PHP CRITICAL POC PATCH THREAT Act Now

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP Laminas Http Zend Framework
NVD GitHub
CVSS 3.1
9.8
EPSS
75.3%
CVE-2014-4914 CRITICAL Act Now

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zend Framework Debian Linux
NVD
CVSS 3.0
9.8
EPSS
3.4%
CVE-2015-7503 PHP HIGH PATCH This Week

Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Zend Framework
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2015-1555 CRITICAL Act Now

Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zend Framework
NVD
CVSS 3.0
9.1
EPSS
0.3%
CVE-2015-1786 PHP HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Zend Framework
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2016-6233 PHP CRITICAL POC PATCH Act Now

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Fedora Zend Framework
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2016-4861 PHP CRITICAL POC PATCH Act Now

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Fedora Zend Framework
NVD
CVSS 3.0
9.8
EPSS
4.0%
CVE-2016-10034 PHP CRITICAL POC PATCH THREAT Act Now

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 82.3%.

Command Injection RCE Zend Framework Zend Mail
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
82.3%
Threat
5.9
CVE-2015-7695 PHP CRITICAL PATCH Act Now

The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Zend Framework Debian Linux
NVD
CVSS 3.0
9.8
EPSS
2.2%
CVE-2015-5723 PHP HIGH PATCH This Week

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

PHP Privilege Escalation Zend Cache Debian Linux Object Relational Mapper +7
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2015-5161 PHP MEDIUM POC PATCH THREAT This Month

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 32.8%.

XXE Zend Framework
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
32.8%
CVE-2014-2684 MEDIUM This Month

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zendopenid Zend Framework
NVD
CVSS 2.0
6.4
EPSS
0.6%
CVE-2014-2683 PHP MEDIUM PATCH This Month

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Zendrest Zend Framework Zendservice Slideshare Zendservice Api +6
NVD
CVSS 2.0
5.0
EPSS
2.6%
CVE-2014-2682 PHP MEDIUM PATCH This Month

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare,. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

XXE Zendrest Zend Framework Zendservice Slideshare Zendservice Api +6
NVD VulDB
CVSS 2.0
6.8
EPSS
1.8%
CVE-2014-2681 PHP MEDIUM PATCH This Month

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service XXE Zendrest Zend Framework Zendservice Slideshare +7
NVD
CVSS 2.0
6.4
EPSS
3.0%
CVE-2014-8088 PHP MEDIUM PATCH This Month

The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Zend Framework
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2014-2685 HIGH This Week

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zend Framework Zendopenid
NVD
CVSS 2.0
7.5
EPSS
0.8%
CVE-2012-5657 PHP MEDIUM PATCH This Month

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Denial Of Service Information Disclosure XXE Zend Framework
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2012-6532 PHP MEDIUM PATCH This Month

(1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Zend Framework
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2012-6531 PHP MEDIUM PATCH This Month

(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

XXE Zend Framework
NVD
CVSS 2.0
6.4
EPSS
0.9%
CVE-2012-3363 PHP CRITICAL POC PATCH THREAT Act Now

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 55.1%.

XXE Zend Framework Fedora Debian Linux
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
55.1%
Threat
5.0
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Zend Framework
NVD GitHub VulDB
EPSS 75% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP +2
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zend Framework Debian Linux
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Zend Framework
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zend Framework
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Zend Framework
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Fedora Zend Framework
NVD
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Fedora Zend Framework
NVD
EPSS 82% 5.9 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 82.3%.

Command Injection RCE Zend Framework +1
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Zend Framework Debian Linux
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

PHP Privilege Escalation Zend Cache +9
NVD
EPSS 33% CVSS 6.8
MEDIUM POC PATCH THREAT This Month

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 32.8%.

XXE Zend Framework
NVD Exploit-DB
EPSS 1% CVSS 6.4
MEDIUM This Month

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zendopenid Zend Framework
NVD
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Zendrest Zend Framework +8
NVD
EPSS 2% CVSS 6.8
MEDIUM PATCH This Month

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare,. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

XXE Zendrest Zend Framework +8
NVD VulDB
EPSS 3% CVSS 6.4
MEDIUM PATCH This Month

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service XXE Zendrest +9
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Zend Framework
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zend Framework Zendopenid
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Denial Of Service Information Disclosure XXE +1
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

(1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Zend Framework
NVD
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

XXE Zend Framework
NVD
EPSS 55% 5.0 CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 55.1%.

XXE Zend Framework Fedora +1
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy