#VU11641 SQL injection in Zend Framework - CVE-2016-4861

Cybersecurity Help s.r.o.

Published: 2018-04-09 | Updated: 2018-04-10

Vulnerability identifier: #VU11641

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-4861

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Zend Framework
Server applications / Frameworks for developing and running applications

Vendor: Zend

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Mitigation
Update to version 1.12.20.

Vulnerable software versions

Zend Framework: 1.12.18 - 1.12.19

External links
https://framework.zend.com/security/advisory/ZF2016-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Zend Framework

Amazon Linux AMI update for php-ZendFramework

Fedora 25 update for php-ZendFramework

Fedora 23 update for php-ZendFramework

Fedora 24 update for php-ZendFramework

Fedora EPEL 7 update for php-ZendFramework

Fedora EPEL 6 update for php-ZendFramework