Filtered by vendor Zend Subscriptions
Total 46 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-29312 1 Zend 1 Zend Framework 2024-08-04 9.8 Critical
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020.
CVE-2020-8986 1 Zend 1 Zendto 2024-08-04 9.8 Critical
lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests.
CVE-2020-8984 1 Zend 1 Zendto 2024-08-04 7.5 High
lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header.
CVE-2020-8985 1 Zend 1 Zendto 2024-08-04 8.8 High
ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality.
CVE-2021-27888 1 Zend 1 Zendto 2024-08-03 6.1 Medium
ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters.
CVE-2021-3007 2 Getlaminas, Zend 2 Laminas-http, Zend Framework 2024-08-03 9.8 Critical
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized