cbcvebase.

Zend Framework vulnerabilities

28 known vulnerabilities affecting zend/zend_framework.

Total CVEs
28
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL12HIGH4MEDIUM12

Vulnerabilities

Page 2 of 2
CVE-2014-2681P3MEDIUMCVSS 6.4fixed in 1.12.4≥ 2.1.0, < 2.1.6+1 more2014-11-16
CVE-2014-2681 [MEDIUM] CVE-2014-2681: Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpen Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary
nvd
CVE-2015-1786P4HIGHCVSS 8.8v2.3.0v2.3.1+4 more2017-06-08
CVE-2015-1786 [HIGH] CWE-352 CVE-2015-1786: Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x befor Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers.
nvd
CVE-2015-3154P4MEDIUMCVSS 6.1fixed in 1.12.12≥ 2.3.0, < 2.3.8+1 more2020-01-27
CVE-2015-3154 [MEDIUM] CWE-74 CVE-2015-3154: CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2 CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
nvd
CVE-2012-5657P4MEDIUMCVSS 5.0v1.11.0v1.11.1+13 more2013-05-02
CVE-2012-5657 [MEDIUM] CWE-200 CVE-2012-5657: The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1. The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
nvd
CVE-2012-6532P4MEDIUMCVSS 5.0v1.0.4v1.5.0+54 more2013-02-13
CVE-2012-6532 [MEDIUM] CWE-399 CVE-2012-6532: (1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 (1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack.
nvd
CVE-2012-4451P4MEDIUMCVSS 6.1fixed in 2.0.12020-01-03
CVE-2012-4451 [MEDIUM] CWE-79 CVE-2012-4451: Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remot Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Place
nvd
CVE-2014-4913P4MEDIUMCVSS 6.1fixed in 2.2.7≥ 2.3.0, < 2.3.12019-12-15
CVE-2014-4913 [MEDIUM] CWE-79 CVE-2014-4913: ZF2014-03 has a potential cross site scripting vector in multiple view helpers ZF2014-03 has a potential cross site scripting vector in multiple view helpers
nvd
CVE-2014-2683P4MEDIUMCVSS 5.0fixed in 1.12.4≥ 2.1.0, < 2.1.6+1 more2014-11-16
CVE-2014-2683 [MEDIUM] CVE-2014-2683: Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpen Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial
nvd
Zend Framework vulnerabilities | cvebase