Page 3 of 18 results (0.008 seconds)

CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 1

SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte. Una vulnerabilidad de inyección SQL en Zend Framework versiones anteriores a 1.12.9, versiones 2.2.x anteriores a 2.2.8 y versiones 2.3.x anteriores a 2.3.3, cuando se usa la extensión PHP sqlsrv, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de un byte null. • http://framework.zend.com/security/advisory/ZF2014-06 http://seclists.org/oss-sec/2014/q4/276 http://www.securityfocus.com/bid/70011 https://bugzilla.redhat.com/show_bug.cgi?id=1151277 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.0EPSS: 0%CPEs: 21EXPL: 0

The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. (1) La clase Zend_Ldap en Zend anterior a 1.12.9 y (2) el componente Zend\Ldap en Zend 2.x anterior a 2.2.8 y 2.3.x anterior a 2.3.3 permite a atacantes remotos evadir la autenticación a través de una contraseña que empiece por un byte nulo, lo que provoca un bind no autenticado. • http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141070.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html http://www.debian.org/security/2015/dsa-3265 http://www.openwall.com/lists/oss-security/2014/10/10/5 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.securityfocus.com/bid/70378 https://exchange.xforce.ibmcloud.com/vulnerabilities/97038 • CWE-287: Improper Authentication •

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. La función Zend_Db_Select::order en Zend Framework, en versiones anteriores a la 1.12.7, no gestiona correctamente los paréntesis. Esto permite que atacantes remotos lleven a cabo ataques de inyección SQL mediante vectores sin especificar. • http://framework.zend.com/security/advisory/ZF2014-04 http://jvn.jp/en/jp/JVN71730320/index.html http://openwall.com/lists/oss-security/2014/07/11/4 http://secunia.com/advisories/58847 http://www.securityfocus.com/bid/68031 https://www.debian.org/security/2015/dsa-3265 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 0

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657. Zend Framework 1 (ZF1) anterior a 1.12.4, Zend Framework 2 anterior a 2.1.6 y 2.2.x anterior a 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, y ZendService_WindowsAzure anterior a 2.0.2, ZendService_Amazon before 2.0.3, y ZendService_Api anterior a 1.0.0, cuando usamos PHP-FPM, no comparte correctamente la configuración entre hilos en libxml_disable_entity_loader, lo que podría permitir a atacantes remotos realizar ataques XXE a través de una declaración de entidad externa de XML junto con una referencia de entidad. NOTA: este fallo existe porque no se solución la CVE-2012-5657. • http://advisories.mageia.org/MGASA-2014-0151.html http://framework.zend.com/security/advisory/ZF2014-01 http://seclists.org/oss-sec/2014/q2/0 http://www.debian.org/security/2015/dsa-3265 http://www.mandriva.com/security/advisories?name=MDVSA-2014:072 http://www.securityfocus.com/bid/66358 • CWE-19: Data Processing Errors •

CVSS: 5.0EPSS: 1%CPEs: 12EXPL: 0

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532. ZendFramework 1(ZF1) anterior a 1.12.4, Zend Framework anterior a 2.1.6 y 2.2.x anterior a 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, y ZendService_WindowsAzure anterior a 2.0.2, ZendService_Amazon anterior a 2.0.3, y ZendService_Api anterior a 1.0.0 permite a atacantes remotos causar una denegación de servicio (Consumir la CPU) a través de referencias recursivas o circulares en una definición de una entidad en XML en una declaración DOCTYPE XML también conocido como ataque XEE. Nota: este fallo existe porque no se termino de solucionar la CVE-2012-6532 • http://advisories.mageia.org/MGASA-2014-0151.html http://framework.zend.com/security/advisory/ZF2014-01 http://seclists.org/oss-sec/2014/q2/0 http://www.debian.org/security/2015/dsa-3265 http://www.mandriva.com/security/advisories?name=MDVSA-2014:072 http://www.securityfocus.com/bid/66358 • CWE-17: DEPRECATED: Code •