Published: 16/11/2014 Updated: 16/07/2019

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Zend Framework 1 (ZF1) prior to 1.12.4, Zend Framework 2 prior to 2.1.6 and 2.2.x prior to 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure prior to 2.0.2, ZendService_Amazon prior to 2.0.3, and ZendService_Api prior to 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote malicious users to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Vulnerable Product	Search on Vulmon	Subscribe to Product
zend zendrest
zend zend framework
zend zendservice slideshare
zend zendservice api
zend zendservice audioscrobbler
zend zendservice amazon
zend zendservice technorati
zend zendservice windowsazure
zend zendopenid
zend zendservice nirvanix

Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...

Debian Bug report logs - #743175 zendframework: two security issues Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: "Thijs Kinkhorst" <thijs@debianorg> Date: Mo ...

Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...

Multiple vulnerabilities were discovered in Zend Framework, a PHP framework Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions This fix extends the incomple ...

The GenericConsumer class in the Consumer component in ZendOpenId before 202 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1124 violate the OpenID 20 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider XML eXtern ...

CWE-19 http://advisories.mageia.org/MGASA-2014-0151.html http://seclists.org/oss-sec/2014/q2/0 http://framework.zend.com/security/advisory/ZF2014-01 http://www.mandriva.com/security/advisories?name=MDVSA-2014:072 http://www.securityfocus.com/bid/66358 http://www.debian.org/security/2015/dsa-3265 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201 https://www.debian.org/security/./dsa-3265

CVE-2014-2682

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect