Описание
ZendFramework potential SQL Injection Vector When Using PDO_MySql
Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:
http://bugs.php.net/bug.php?id=47802 The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.
Пакеты
zendframework/zendframework1
>= 1.10.0, < 1.10.9
1.10.9
zendframework/zendframework1
>= 1.11.0, < 1.11.6
1.11.6
9.8 Critical
CVSS3
Дефекты
9.8 Critical
CVSS3