Vulnerabilities > Zend > Zend Framework > 2.2.8
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-08-07 | CVE-2015-1555 | Improper Input Validation vulnerability in Zend Framework Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators. | 6.4 |
2016-12-30 | CVE-2016-10034 | Command Injection vulnerability in Zend Zend-Mail and Zend Framework The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. | 7.5 |
2016-06-07 | CVE-2015-5723 | Permissions, Privileges, and Access Controls vulnerability in multiple products Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code. | 7.8 |
2015-08-25 | CVE-2015-5161 | XML External Entity Injection vulnerability in Multiple Zend Products The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. network zend | 6.8 |