SQL Injection Vulnerability in Zend Framework by Zend Technologies
CVE-2014-4914

9.8CRITICAL

Key Information:

Vendor

Zend

Status
Zend Framework
Vendor
CVE Published:
29 December 2017
đź”” Create Zend Vulnerability Alert

What is CVE-2014-4914?

The Zend_Db_Select::order function in Zend Framework prior to version 1.12.7 does not correctly manage parentheses, potentially allowing remote attackers to perform SQL injection attacks. This vulnerability arises from improper sanitization of input parameters, enabling malicious entities to manipulate database queries. As a result, unauthorized access or data manipulation might occur, posing significant threats to web applications dependent on this framework.

References

http://secunia.com/advisories/58847
third-party-advisoryx_refsource_SECUNIA
http://openwall.com/lists/oss-security/2014/07/11/4
mailing-listx_refsource_MLIST
http://jvn.jp/en/jp/JVN71730320/index.html
third-party-advisoryx_refsource_JVN

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.