CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29312
https://notcve.org/view.php?id=CVE-2020-29312
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020. • http://zend.com https://cowtransfer.com/s/f9684f004d7149 https://github.com/zendframework/zendframework • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 3%CPEs: 2EXPL: 2CVE-2021-3007
https://notcve.org/view.php?id=CVE-2021-3007
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized ** EN DISPUTA ** Laminas Project laminas-http versión anterior a 2.14.2, y Zend Framework versión 3.0.0, tiene una vulnerabilidad de deserialización que puede llevar a la ejecución remota de código si el contenido es controlable, relacionado con el método __destructura de la clase Zend\Http\Response\Stream en Stream.php. NOTA: Zend Framework ya no está soportado por el mantenedor. NOTA: el proveedor de laminas-http considera esto como una "vulnerabilidad en el propio lenguaje PHP" pero ha añadido cierto tipo de chequeo como una forma de prevenir la explotación en casos de uso (no recomendado) donde los datos suministrados por el atacante pueden ser deserializados • https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php https://github.com/laminas/laminas-http/pull/48 https://github.com/laminas/laminas-http/releases/tag/2.14.2 https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2012-4451
https://notcve.org/view.php?id=CVE-2012-4451
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Zend Framework versiones 2.0.x anteriores a la versión 2.0.1, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de una entrada no especificada en (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, o (8) View\Helper\Placeholder\Container\AbstractStandalone, relacionado con Escaper. • http://framework.zend.com/security/advisory/ZF2012-03 http://seclists.org/oss-sec/2012/q3/571 http://seclists.org/oss-sec/2012/q3/573 http://www.securityfocus.com/bid/55636 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10 https://bugs.gentoo.org/show_bug.cgi?id=436210 https://bugzilla.redhat.com/show_bug.cgi?id=860738 https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 3EXPL: 0CVE-2014-4913
https://notcve.org/view.php?id=CVE-2014-4913
ZF2014-03 has a potential cross site scripting vector in multiple view helpers ZF2014-03, tiene un vector potencial de tipo cross site scripting en múltiples asistentes de vista. • http://www.openwall.com/lists/oss-security/2014/07/11/4 http://www.securityfocus.com/bid/66971 https://access.redhat.com/security/cve/cve-2014-4913 https://framework.zend.com/security/advisory/ZF2014-03 https://security-tracker.debian.org/tracker/CVE-2014-4913 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2015-7503
https://notcve.org/view.php?id=CVE-2015-7503
Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key. Zend Framework en versiones anteriores a la 2.4.9, zend-framework/zend-crypt en versiones 2.4.x anteriores a la 2.4.9 y 2.5.x anteriores a la 2.5.2 permite que atacantes remotos recuperen la clave privada RSA. • https://bugzilla.redhat.com/show_bug.cgi?id=1283137 https://framework.zend.com/security/advisory/ZF2015-10 • CWE-320: Key Management Errors •