CVE-2016-4861SQL Injection in Framework

CWE-89SQL Injection8 documents5 sources
Severity
9.8CRITICALNVD
EPSS
4.0%
top 11.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ZendframeworkZend FrameworkFedoraproject Fedora
Timeline
PublishedFeb 17
Latest updateMay 14

Description

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Packagistzendframework/zendframework< 1.12.20
NVDzend/zend_framework1.12.19

Also affects: Fedora 23, 24, 25

🔴Vulnerability Details

4
GHSA
Zend Framework Allows SQL Injection2022-05-14
OSV
Zend Framework Allows SQL Injection2022-05-14
OSV
CVE-2016-4861: The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 12017-02-17
CVEList
CVE-2016-4861: The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 12017-02-16

💬Community

3
Bugzilla
CVE-2016-4861 php-ZendFramework: ZendFramework: SQL injection vulnerability [epel-all]2016-09-15
Bugzilla
CVE-2016-4861 php-ZendFramework: ZendFramework: SQL injection vulnerability [fedora-all]2016-09-15
Bugzilla
CVE-2016-4861 ZendFramework: SQL injection vulnerability2016-09-15
CVE-2016-4861 — SQL Injection in Zend Framework | cvebase