GHSA-9722-9j67-vjcr: Improper Authorization in Select Permissions

GHSA-qjrv-v6qp-x99x: SurrealDB has an Uncaught Exception Handling Parsing Errors on Empty Strings

GHSA-f3cx-396f-7jqp: Livewire Remote Code Execution on File Uploads

GHSA-ffcv-v6pw-qhrp: Denial of Service in TYPO3 Bookmark Toolbar

GHSA-9cp9-8gw2-8v7m: Adguard Home arbitrary file read vulnerability

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.

**Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)**

Critical severity GitHub Reviewed Published Jun 7, 2024 to the GitHub Advisory Database • Updated Jun 7, 2024

Headline

GHSA-v42g-7q2x-cw32: Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)

ghsa: Latest News