CVE-2015-7695 – zendframework/zendframework1

Package

Manager: composer
Name: zendframework/zendframework1
Vulnerable Version: >=0 <1.12.16

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01232 pctl0.78408

Details

Zend Framework SQL injection vector using null byte for PDO The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.

Metadata

Created: 2022-05-17T03:44:23Z
Modified: 2024-04-23T23:11:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2hvh-c5c2-vj85/GHSA-2hvh-c5c2-vj85.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-2hvh-c5c2-vj85
Finding: F297
Auto approve: 1