CVE-2014-8089
CRITICAL9.8EPSS 1.1%Zend Framework SQL injection vulnerability
Published: 4/23/2024Modified: 4/23/2024
Description
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
Affected packages (3)
- Packagist/zendframework/zend-db>= 2.0.0, < 2.0.99
- Packagist/zendframework/zendframework>= 2.0.0, < 2.0.99
- Packagist/zendframework/zendframework1>= 1.12.0, < 1.12.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-8089
- WEBhttp://framework.zend.com/security/advisory/ZF2014-06
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1151277
- WEBhttp://seclists.org/oss-sec/2014/q4/276
- WEBhttps://framework.zend.com/security/advisory/ZF2014-06
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-db/CVE-2014-8089.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2014-8089.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2014-8089.yaml
- WEBhttp://www.securityfocus.com/bid/70011