CVE-2016-6233 — SQL Injection in Framework

CWE-89 — SQL Injection8 documents5 sources

Severity

9.8CRITICALNVD

EPSS

1.7%

top 17.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zendframework Zendframework Zendframework1 Zend Framework +1 more

Timeline

PublishedFeb 17

Latest updateMay 14

Description

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Packagistzendframework/zendframework< 1.12.19

▶Packagistzendframework/zendframework1< 1.12.19

▶NVDzend/zend_framework1.12.19

Also affects: Fedora 23, 24, 25

🔴Vulnerability Details

OSV

Zend Framework Allows SQL Injection↗2022-05-14

▶

GHSA

Zend Framework Allows SQL Injection↗2022-05-14

▶

OSV

CVE-2016-6233: The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1↗2017-02-17

▶

CVEList

CVE-2016-6233: The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1↗2017-02-16

▶

💬Community

Bugzilla

CVE-2016-6233 ZendFramework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select↗2016-07-18

▶

Bugzilla

CVE-2016-6233 php-ZendFramework: ZendFramework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select [fedora-all]↗2016-07-18

▶

Bugzilla

CVE-2016-6233 php-ZendFramework: ZendFramework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select [epel-all]↗2016-07-18

▶