Versions of Zend Framework prior to 1.12.9, 2.2.x earlier than 2.2.8, or 2.3.x earlier than 2.3.3 are vulnerable to a flaw that may allow an SQL injection attack. The issue is due to improper use of the SQLSRV PHP extension, as user-supplied input containing NULL bytes is not properly sanitized. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Binary data 9142.prm
Vendor | Product | Version | CPE |
---|---|---|---|
thomas_breuss | zend_framework_integration_zend_framework | cpe:/a:thomas_breuss:zend_framework_integration_zend_framework |