Zend Framework < 1.12.9 / 2.2.x < 2.2.8 / 2.3.x < 2.3.3 SQL Injection

Versions of Zend Framework prior to 1.12.9, 2.2.x earlier than 2.2.8, or 2.3.x earlier than 2.3.3 are vulnerable to a flaw that may allow an SQL injection attack. The issue is due to improper use of the SQLSRV PHP extension, as user-supplied input containing NULL bytes is not properly sanitized. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.