Cross-Site Request Forgery Vulnerability in Zend Framework by Zend
CVE-2015-1786

8.8HIGH

Key Information:

Vendor: Zend
Status: Zend Framework
Vendor: CVE Published:; 8 June 2017

What is CVE-2015-1786?

A cross-site request forgery (CSRF) vulnerability exists in the Zend/Validator/Csrf component of Zend Framework versions 2.3.x prior to 2.3.6. This vulnerability allows attackers to perform unauthorized actions by exploiting improperly validated token identifiers, which may be null or malformed. As a result, users may unintentionally execute harmful commands without their knowledge, jeopardizing the security of their applications.

References

https://framework.zend.com/changelog/2.3.6

x_refsource_CONFIRM

https://bugzilla.redhat.com/show_bug.cgi?id=1207781

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2017
Vulnerability Reserved
Feb 17, 2015