Published: 16/11/2014 Updated: 16/07/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Zend Framework 1 (ZF1) prior to 1.12.4, Zend Framework 2 prior to 2.1.6 and 2.2.x prior to 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure prior to 2.0.2, ZendService_Amazon prior to 2.0.3, and ZendService_Api prior to 1.0.0 allow remote malicious users to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.

Vulnerable Product	Search on Vulmon	Subscribe to Product
zend zendrest
zend zend framework
zend zendservice slideshare
zend zendservice api
zend zendservice audioscrobbler
zend zendservice amazon
zend zendservice technorati
zend zendservice windowsazure
zend zendopenid
zend zendservice nirvanix

Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...

Debian Bug report logs - #743175 zendframework: two security issues Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: "Thijs Kinkhorst" <thijs@debianorg> Date: Mo ...

Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...

Multiple vulnerabilities were discovered in Zend Framework, a PHP framework Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions This fix extends the incomple ...

The GenericConsumer class in the Consumer component in ZendOpenId before 202 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1124 violate the OpenID 20 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider XML eXtern ...

CWE-17 http://advisories.mageia.org/MGASA-2014-0151.html http://seclists.org/oss-sec/2014/q2/0 http://framework.zend.com/security/advisory/ZF2014-01 http://www.mandriva.com/security/advisories?name=MDVSA-2014:072 http://www.securityfocus.com/bid/66358 http://www.debian.org/security/2015/dsa-3265 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201 https://www.debian.org/security/./dsa-3265

CVE-2014-2683

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect