#vulnerability

An XML External Entity (XXE) vulnerability in the `ebookmeta.get_metadata` function via lxml dependency allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

An XML External Entity (XXE) vulnerability in the `ebookmeta.get_metadata` function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

An arbitrary file upload vulnerability in the image upload function of aimeos-core v2024.04 allows attackers to execute arbitrary code via uploading a crafted PHP file.

`Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session.

When using the zend-mail component to send email via the `Zend\Mail\Transport\Sendmail` transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. The following example demonstrates injecting additional parameters to the sendmail binary via the From address: ``` use Zend\Mail; $mail = new Mail\Message(); $mail->setBody('This is the text of the email.'); // inject additional parameters to sendmail command line $mail->setFrom('"AAA\" params injection"@domain', 'Sender\'s name'); $mail->addTo('hacker@localhost', 'Name of recipient'); $mail->setSubject('TestSubject'); $transport = new Mail\Transport\Sendmail(); $transport->send($mail); ``` The attack works because zend-mail filters the email addresses using the RFC 3696 specification, where the string...

Numerous components utilizing PHP's `DOMDocument`, `SimpleXML`, and `xml_parse` functionality are vulnerable to two types of attacks: - XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. - XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

`Zend_Feed_Rss` and `Zend_Feed_Atom` were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections. A similar issue was fixed for 1.11.13 and 1.12.0, in the `Zend_Feed::import()` factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.

Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here: http://bugs.php.net/bug.php?id=47802 The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.

`Zend_Dojo_View_Helper_Editor` was incorrectly decorating a TEXTAREA instead of a DIV. The Dojo team has reported that this has security implications as the rich text editor they use is unable to escape content for a TEXTAREA.

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks: - XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. - XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.