Filtered by vendor Zend
Subscriptions
Total
46 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-29312 | 1 Zend | 1 Zend Framework | 2024-08-04 | 9.8 Critical |
An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020. | ||||
CVE-2020-8986 | 1 Zend | 1 Zendto | 2024-08-04 | 9.8 Critical |
lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests. | ||||
CVE-2020-8984 | 1 Zend | 1 Zendto | 2024-08-04 | 7.5 High |
lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header. | ||||
CVE-2020-8985 | 1 Zend | 1 Zendto | 2024-08-04 | 8.8 High |
ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality. | ||||
CVE-2021-27888 | 1 Zend | 1 Zendto | 2024-08-03 | 6.1 Medium |
ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. | ||||
CVE-2021-3007 | 2 Getlaminas, Zend | 2 Laminas-http, Zend Framework | 2024-08-03 | 9.8 Critical |
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized |