SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| zendframework/zendframework1(Packagist) | 1.12.0 | 1.12.9 | N/A |
| zendframework/zend-db(Packagist) | 2.0.0 | 2.0.99 | N/A |
| zendframework/zend-db(Packagist) | 2.1.0 | 2.1.99 | N/A |
| zendframework/zend-db(Packagist) | 2.2.0 | 2.2.8 | N/A |
| zendframework/zend-db(Packagist) | 2.3.0 | 2.3.3 | N/A |
| zendframework/zendframework(Packagist) | 2.0.0 | 2.0.99 | N/A |
| zendframework/zendframework(Packagist) | 2.1.0 | 2.1.99 | N/A |
| zendframework/zendframework(Packagist) | 2.2.0 | 2.2.8 | N/A |
| zendframework/zendframework(Packagist) | 2.3.0 | 2.3.3 | N/A |
CVSS Metrics
