📦

zend_framework

Vendor: zend

Actively Exploited 0 CISA KEV List

PoC / Exploits 6 Code Available

Total RCEs 3 Remote Access

Total CVEs 144 Total Indexed

Avg. EPSS 11.31% Exploit Prob.

Latest CVE CVE-2020-29312 Apr 04

Security Vulnerability Index

Page 1 / 15

9.8 CVSS

CVE-2020-29312

RCE

An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020.

EPSS: 3.67%

Severity: CRITICAL

Apr 04, 2023

9.8 CVSS

CVE-2021-3007

RCE Exploit Found

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized

EPSS: 92.18%

Severity: CRITICAL

Jan 04, 2021

9.8 CVSS

CVE-2014-8089

SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.

EPSS: 1.12%

Severity: CRITICAL

Feb 17, 2020

6.1 CVSS

CVE-2015-3154

CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.

EPSS: 0.27%

Severity: MEDIUM

Jan 27, 2020

6.1 CVSS

CVE-2012-4451

Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.

EPSS: 1.78%

Severity: MEDIUM

Jan 03, 2020

6.1 CVSS

CVE-2014-4913

ZF2014-03 has a potential cross site scripting vector in multiple view helpers

EPSS: 0.47%

Severity: MEDIUM

Dec 15, 2019

9.8 CVSS

CVE-2011-1939

Exploit Found

SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.

EPSS: 5.55%

Severity: CRITICAL

Nov 26, 2019

9.8 CVSS

CVE-2014-4914

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.

EPSS: 3.44%

Severity: CRITICAL

Dec 29, 2017

7.5 CVSS

CVE-2015-7503

Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key.

EPSS: 0.25%

Severity: HIGH

Oct 10, 2017

9.1 CVSS

CVE-2015-1555

Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.

EPSS: 0.29%

Severity: CRITICAL

Aug 07, 2017

Displaying 10 of 144 Total Entries

1 2 3 4 5 ... 15

Total 15 Sections