Main Vulnerability Database Vulnerabilities #VU30424

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Zend Framework - CVE-2015-3154

Published: January 27, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30424

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2015-3154

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Zend

Affected software:
Zend Framework

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

CRLF injection vulnerability in ZendMail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.

How to mitigate CVE-2015-3154

Install update from vendor's website.

Sources

http://framework.zend.com/security/advisory/ZF2015-04

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Zend Framework - CVE-2015-3154

Detailed vulnerability description

How to mitigate CVE-2015-3154

Sources

Please verify you're human