CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9129 – Format String Injection in Zend Server
https://notcve.org/view.php?id=CVE-2024-9129
22 Oct 2024 — In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino • https://portal.perforce.com/s/detail/a91PA000001SYZFYA4 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2020-29312
https://notcve.org/view.php?id=CVE-2020-29312
04 Apr 2023 — An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020. • http://zend.com • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4397 – morontt zend-blog-number-2 Comment Comment.php cross-site request forgery
https://notcve.org/view.php?id=CVE-2022-4397
10 Dec 2022 — A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. • https://github.com/morontt/zend-blog-number-2/commit/36b2d4abe20a6245e4f8df7a4b14e130b24d429d • CWE-352: Cross-Site Request Forgery (CSRF) CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-27888
https://notcve.org/view.php?id=CVE-2021-27888
02 Mar 2021 — ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. ZendTo versiones anteriores a 6.06-4 Beta, permite un ataque de tipo XSS durante el despliegue de una entrega en la que un nombre de archivo tiene caracteres no previstos • https://zend.to/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 65%CPEs: 2EXPL: 3CVE-2021-3007
https://notcve.org/view.php?id=CVE-2021-3007
04 Jan 2021 — Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cas... • https://github.com/Vulnmachines/ZF3_CVE-2021-3007 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 123EXPL: 0CVE-2020-8986
https://notcve.org/view.php?id=CVE-2020-8986
24 Mar 2020 — lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests. La biblioteca lib/NSSDropbox.php en ZendTo versiones anteriores a 5.22-2 Beta, presentó un fallo en comprobación de igualdad de forma apropiada cuando se valida la cookie de sesión, permitiendo a un atacante conseguir acceso administrativo con una gran cantidad de peticiones. • https://zend.to/changelog.php • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 8.8EPSS: 0%CPEs: 123EXPL: 0CVE-2020-8985
https://notcve.org/view.php?id=CVE-2020-8985
24 Mar 2020 — ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality. ZendTo versiones anteriores a 5.22-2 Beta, permitía unos ataques de tipo XSS y CSRF reflejado por medio de la funcionalidad unlock user unlock.tpl. • https://zend.to/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 123EXPL: 0CVE-2020-8984
https://notcve.org/view.php?id=CVE-2020-8984
24 Mar 2020 — lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header. En la biblioteca lib/NSSDropbox.php en ZendTo versiones anteriores a 5.22-2 Beta, permitió la suplantación de direcciones IP por medio del encabezado X-Fordered-For. • http://jul.es/pipermail/zendto/2020-January/003845.html • CWE-346: Origin Validation Error •
CVSS: 6.1EPSS: 1%CPEs: 4EXPL: 0CVE-2012-4451
https://notcve.org/view.php?id=CVE-2012-4451
03 Jan 2020 — Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Zend Framework versiones 2.0.x anter... • http://framework.zend.com/security/advisory/ZF2012-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2014-4913
https://notcve.org/view.php?id=CVE-2014-4913
15 Dec 2019 — ZF2014-03 has a potential cross site scripting vector in multiple view helpers ZF2014-03, tiene un vector potencial de tipo cross site scripting en múltiples asistentes de vista. • http://www.openwall.com/lists/oss-security/2014/07/11/4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •