CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2015-0270
https://notcve.org/view.php?id=CVE-2015-0270
25 Oct 2019 — Zend Framework before 2.2.10 and 2.3.x before 2.3.5 has Potential SQL injection in PostgreSQL Zend\Db adapter. Zend Framework versiones anteriores a 2.2.10 y versiones 2.3.x anteriores a 2.3.5, presenta una Inyección SQL Potencial en el adaptador Zend\Db de PostgreSQL. • https://framework.zend.com/security/advisory/ZF2015-02 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000841
https://notcve.org/view.php?id=CVE-2018-1000841
20 Dec 2018 — Zend.To version Prior to 5.15-1 contains a Cross Site Scripting (XSS) vulnerability in The verify.php page that can result in An attacker could execute arbitrary Javascript code in the context of the victim's browser.. This attack appear to be exploitable via HTTP POST request. This vulnerability appears to have been fixed in 5.16-1 Beta. Zend.To, en versiones anteriores a la 5.15-1, contiene una vulnerabilidad Cross Site Scripting (XSS) en la página verify.php que puede resultar en que un atacante podría e... • https://zend.to/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2018-10230
https://notcve.org/view.php?id=CVE-2018-10230
19 Apr 2018 — Zend Debugger in Zend Server before 9.1.3 has XSS, aka ZSR-2455. Zend Debugger en Zend Server, en versiones anteriores a la 9.1.3, tiene Cross-Site Scripting (XSS). Esto también se conoce como ZSR-2455. • https://www.synacktiv.com/ressources/zend_server_9_1_3_xss.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2015-7503
https://notcve.org/view.php?id=CVE-2015-7503
10 Oct 2017 — Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2.4.9, and 2.5.x before 2.5.2 allows remote attackers to recover the RSA private key. Zend Framework en versiones anteriores a la 2.4.9, zend-framework/zend-crypt en versiones 2.4.x anteriores a la 2.4.9 y 2.5.x anteriores a la 2.5.2 permite que atacantes remotos recuperen la clave privada RSA. • https://bugzilla.redhat.com/show_bug.cgi?id=1283137 • CWE-320: Key Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3257
https://notcve.org/view.php?id=CVE-2015-3257
25 Aug 2017 — Zend/Diactoros/Uri::filterPath in zend-diactoros before 1.0.4 does not properly sanitize path input, which allows remote attackers to perform cross-site scripting (XSS) or open redirect attacks. Zend/Diactoros/Uri::filterPath en zend-diactoros en versiones anteriores a la 1.0.4 no sanitiza correctamente la entrada de rutas, lo que permite que atacantes remotos realicen ataques de Cross-Site Scripting (XSS) o de redirección abierta. • http://www.securityfocus.com/bid/75466 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 13EXPL: 0CVE-2015-1555
https://notcve.org/view.php?id=CVE-2015-1555
07 Aug 2017 — Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators. Zend/Session/SessionManager en Zend Framework 2.2.x en versiones anteriores a 2.2.9, 2.3.x en versiones anteriores a 2.3.4 permite que atacantes remotos creen sesiones válidas sin emplear validadores de sesión. • http://framework.zend.com/security/advisory/ZF2015-01 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2015-1786
https://notcve.org/view.php?id=CVE-2015-1786
08 Jun 2017 — Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers. Vulnerabilidad de tipo Cross-site request forgery (CSRF) en Zend/Validator/Csrf en Zend Framework , versiones 2.3.x anteriores a la 2.3.6 a través de identificadores de tokenes mal construidos o nulos. • https://bugzilla.redhat.com/show_bug.cgi?id=1207781 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2016-6233 – Gentoo Linux Security Advisory 201804-10
https://notcve.org/view.php?id=CVE-2016-6233
16 Feb 2017 — The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression. Los métodos (1) order y (2) group en Zend_Db_Select en la Zend Framework en versiones anteriores a 1.12.19 podrían permitir a atacantes remotos llevar a cabo ataques de inyección SQL a través de vectores relacionados con el uso del patrón de caracteres [\w]* en una expresión ... • http://www.securityfocus.com/bid/91802 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 2CVE-2016-4861 – Gentoo Linux Security Advisory 201804-10
https://notcve.org/view.php?id=CVE-2016-4861
16 Feb 2017 — The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. Los métodos (1) order y (2) group en Zend_Db_Select en la Zend Framework en versiones anteriores a 1.12.20 podrían permitir a atacantes remotos llevar a cabo ataques de inyección SQL aprovechando el fallo para borrar comentarios de una sentencia SQL antes de la validación. Mul... • https://github.com/KosukeShimofuji/CVE-2016-4861 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 82%CPEs: 10EXPL: 7CVE-2016-10034 – PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-10034
30 Dec 2016 — The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. La función setFrom en el adaptador Sendmail en el componente zend-mail en versiones anteriores a 2.4.11, 2.5.x, 2.6.x y 2.7.x en versiones anteriores a 2.7.2 y Zend Framework en... • https://packetstorm.news/files/id/140349 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •