// For flags

CVE-2015-3154

Debian Security Advisory 3265-1

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.

Una vulnerabilidad de inyección de tipo CRLF en Zend\Mail (Zend_Mail) en Zend Framework versiones anteriores a 1.12.12, versiones 2.x anteriores a 2.3.8 y versiones 2.4.x anteriores a 2.4.1, permite a atacantes remotos inyectar encabezados HTTP arbitrarios y realizar ataques de división de respuesta HTTP por medio de secuencias de tipo CRLF en el encabezado de un correo electrónico.

Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-04-10 CVE Reserved
  • 2015-05-20 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (1)
URL Tag Source
URL Date SRC
http://framework.zend.com/security/advisory/ZF2015-04 2024-08-06
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Zend
Search vendor "Zend"
 Zend Framework
Search vendor "Zend" for product "Zend Framework"
 < 1.12.12
Search vendor "Zend" for product "Zend Framework" and version " < 1.12.12"
-
Affected
Zend
Search vendor "Zend"
 Zend Framework
Search vendor "Zend" for product "Zend Framework"
 >= 2.3.0 < 2.3.8
Search vendor "Zend" for product "Zend Framework" and version " >= 2.3.0 < 2.3.8"
-
Affected
Zend
Search vendor "Zend"
 Zend Framework
Search vendor "Zend" for product "Zend Framework"
 >= 2.4.0 < 2.4.1
Search vendor "Zend" for product "Zend Framework" and version " >= 2.4.0 < 2.4.1"
-
Affected