Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.4
CVSSv2

CVE-2014-2684

Published: 16/11/2014 Updated: 04/11/2017
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
VMScore: 570
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Subscribe to Zend

Vulnerability Summary

The GenericConsumer class in the Consumer component in ZendOpenId prior to 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 prior to 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote malicious users to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.

Vulnerable Product Search on Vulmon Subscribe to Product

zend zendopenid

zend zend framework

Vendor Advisories

Debian CVElist Bug Report Logs: Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04)
Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...
Debian CVElist Bug Report Logs: zendframework: two security issues
Debian Bug report logs - #743175 zendframework: two security issues Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: "Thijs Kinkhorst" <thijs@debianorg> Date: Mo ...
Debian CVElist Bug Report Logs: Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04)
Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...
Debian Security Advisories: DSA-3265-1 zendframework -- security update
Multiple vulnerabilities were discovered in Zend Framework, a PHP framework Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions This fix extends the incomple ...
Amazon Linux AMI: ALAS-2014-377
The GenericConsumer class in the Consumer component in ZendOpenId before 202 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1124 violate the OpenID 20 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider XML eXtern ...

References

CWE-264http://advisories.mageia.org/MGASA-2014-0151.htmlhttp://seclists.org/oss-sec/2014/q2/0http://framework.zend.com/security/advisory/ZF2014-02http://www.mandriva.com/security/advisories?name=MDVSA-2014:072http://www.securityfocus.com/bid/66358http://www.debian.org/security/2015/dsa-3265https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201https://www.debian.org/security/./dsa-3265
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
path traversalCVE-2024-26978CVE-2024-26982wirelessCVE-2023-6949CVE-2024-26980CVE-2024-32766CVE-2024-26939cache poisoning
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook