Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2014-2685

Published: 04/09/2014 Updated: 04/11/2017
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Zend

Vulnerability Summary

The GenericConsumer class in the Consumer component in ZendOpenId prior to 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 prior to 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote malicious users to bypass authentication by leveraging an assertion from an OpenID provider.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

zend zend framework 1.9.7

zend zend framework 1.9.6

zend zend framework 1.9.0

zend zend framework 1.8.1

zend zend framework 1.8.0

zend zend framework 1.7.5

zend zend framework 1.7.4

zend zend framework 1.7.0

zend zend framework 1.6.2

zend zend framework 1.6.1

zend zend framework 1.5.1

zend zend framework 1.5.0

zend zend framework 1.12.0

zend zend framework 1.11.7

zend zend framework 1.11.6

zend zend framework 1.9.5

zend zend framework 1.9.4

zend zend framework 1.8.5

zend zend framework 1.7.3

zend zend framework 1.6.0

zend zend framework 1.12.2

zend zend framework 1.11.5

zend zend framework 1.11.4

zend zend framework 1.11.1

zend zend framework 1.11.0

zend zend framework 1.10.5

zend zend framework 1.10.4

zend zend framework 1.0.4

zend zend framework 1.0.3

zend zend framework 1.0.0

zend zend framework 1.9.8

zend zend framework 1.9.2

zend zend framework 1.9.1

zend zend framework 1.8.3

zend zend framework 1.8.2

zend zend framework 1.7.7

zend zend framework 1.7.6

zend zend framework 1.9.3

zend zend framework 1.8.4

zend zend framework 1.7.9

zend zend framework 1.7.8

zend zend framework 1.7.2

zend zend framework 1.7.1

zend zend framework

zend zend framework 1.12.1

zend zend framework 1.11.3

zend zend framework 1.11.2

zend zend framework 1.10.3

zend zend framework 1.10.2

zend zend framework 1.10.1

zend zend framework 1.0.2

zend zend framework 1.0.1

zend zend framework 1.5.3

zend zend framework 1.5.2

zend zend framework 1.11.9

zend zend framework 1.11.8

zend zend framework 1.11.13

zend zend framework 1.11.12

zend zend framework 1.10.9

zend zend framework 1.10.8

zend zend framework 1.10.0

zend zend framework 1.11.11

zend zend framework 1.11.10

zend zend framework 1.10.7

zend zend framework 1.10.6

zend zendopenid

Vendor Advisories

Debian CVElist Bug Report Logs: Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04)
Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...
Debian CVElist Bug Report Logs: zendframework: two security issues
Debian Bug report logs - #743175 zendframework: two security issues Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: "Thijs Kinkhorst" <thijs@debianorg> Date: Mo ...
Debian CVElist Bug Report Logs: Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04)
Debian Bug report logs - #754201 Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04) Package: zendframework; Maintainer for zendframework is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Source for zendframework is src:zendframework (PTS, buildd, popcon) Reported by: David ...
Debian Security Advisories: DSA-3265-1 zendframework -- security update
Multiple vulnerabilities were discovered in Zend Framework, a PHP framework Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions This fix extends the incomple ...
Amazon Linux AMI: ALAS-2014-377
The GenericConsumer class in the Consumer component in ZendOpenId before 202 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1124 violate the OpenID 20 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider XML eXtern ...

References

CWE-287http://framework.zend.com/security/advisory/ZF2014-02http://seclists.org/oss-sec/2014/q2/0http://www.mandriva.com/security/advisories?name=MDVSA-2014:072http://advisories.mageia.org/MGASA-2014-0151.htmlhttp://www.securityfocus.com/bid/66358http://www.debian.org/security/2015/dsa-3265https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201https://www.debian.org/security/./dsa-3265
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook