Back to Codebase

Vulnerability Analysis Report

magento/zendframework1 v1.15.0

Scan ID: SCAN-ZENDFRAMEWORK1-ZEzPtJ • Hash: 9ec842d5

Severity Score
Critical
Total Findings
22
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.756s

Vulnerability Details

L1129

Dynamic Code Execution in Acl.php

CWE-94
File Location: library/Zend/Acl.php:1129
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $assertionValue = $assertion->assert(
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L203

Dynamic Code Execution in FunctionFrontendTest.php

CWE-94
File Location: tests/Zend/Cache/FunctionFrontendTest.php:203
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$closure = function () {};'); // no parse error on php < 5.3
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L5

Dynamic Code Execution in AssertionZF7973.php

CWE-94
File Location: tests/Zend/Acl/_files/AssertionZF7973.php:5
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert(Zend_Acl $acl,
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L62

Dynamic Code Execution in Interface.php

CWE-94
File Location: library/Zend/Acl/Assert/Interface.php:62
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null,
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L12

Dynamic Code Execution in MockAssertion.php

CWE-94
File Location: tests/Zend/Acl/_files/MockAssertion.php:12
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null,
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L11

Dynamic Code Execution in UserIsBlogPostOwnerAssertion.php

CWE-94
File Location: tests/Zend/Acl/_files/UseCase1/UserIsBlogPostOwnerAssertion.php:11
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $user = null, Zend_Acl_Resource_Interface $blogPost = null, $privilege = null)
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L2

Cross-Site Scripting (XSS) in ZF10645-PutContentType.php

CWE-79
File Location: tests/Zend/Http/Client/_files/ZF10645-PutContentType.php:2
Security Score:
89 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo 'REQUEST_METHOD: ' . $_SERVER['REQUEST_METHOD'] . "\n\n";
+ echo htmlspecialchars('REQUEST_METHOD: ' . $_SERVER['REQUEST_METHOD'] . "\n\n", ENT_QUOTES, "UTF-8");
L23

Cross-Site Scripting (XSS) in testResetParameters.php

CWE-79
File Location: tests/Zend/Http/Client/_files/testResetParameters.php:23
Security Score:
89 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo serialize($_GET) . "\n" . serialize($_POST);
+ echo htmlspecialchars(serialize($_GET) . "\n" . serialize($_POST), ENT_QUOTES, "UTF-8");
L107

Cross-Site Scripting (XSS) in amazon-search.php

CWE-79
File Location: demos/Zend/WebServices/Amazon/amazon-search.php:107
Security Score:
87 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="post">
+ echo htmlspecialchars($_SERVER['SCRIPT_NAME'], ENT_QUOTES, "UTF-8");
L98

Cross-Site Scripting (XSS) in yahoo-multi-search.php

CWE-79
File Location: demos/Zend/WebServices/Yahoo/yahoo-multi-search.php:98
Security Score:
86 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="post">
+ echo htmlspecialchars($_SERVER['SCRIPT_NAME'], ENT_QUOTES, "UTF-8");
L23

Cross-Site Scripting (XSS) in testGetData.php

CWE-79
File Location: tests/Zend/Http/Client/_files/testGetData.php:23
Security Score:
84 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo serialize($_GET);
+ echo htmlspecialchars(serialize($_GET), ENT_QUOTES, "UTF-8");
L34

Cross-Site Scripting (XSS) in testHttpAuth.php

CWE-79
File Location: tests/Zend/Http/Client/_files/testHttpAuth.php:34
Security Score:
84 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo serialize($_GET), "\n", $user, "\n", $pass, "\n";
+ echo htmlspecialchars(serialize($_GET), "\n", $user, "\n", $pass, "\n", ENT_QUOTES, "UTF-8");
L112

Cross-Site Scripting (XSS) in index.php

CWE-79
File Location: tests/Zend/Http/index.php:112
Security Score:
84 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- value="<?=htmlentities($_GET['userAgent'])?>" /> <br />
+ echo htmlspecialchars("<?=htmlentities($_GET['userAgent'])?, ENT_QUOTES, "UTF-8");
L23

Cross-Site Scripting (XSS) in testPostData.php

CWE-79
File Location: tests/Zend/Http/Client/_files/testPostData.php:23
Security Score:
82 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo serialize($_POST);
+ echo htmlspecialchars(serialize($_POST), ENT_QUOTES, "UTF-8");
L90

Cross-Site Scripting (XSS) in flickr-composite.php

CWE-79
File Location: demos/Zend/WebServices/Flickr/flickr-composite.php:90
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="post">
+ echo htmlspecialchars($_SERVER['SCRIPT_NAME'], ENT_QUOTES, "UTF-8");
L336

Weak Cryptographic Hash (MD5) in Mcrypt.php

CWE-327
File Location: library/Zend/Filter/Encrypt/Mcrypt.php:336
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = substr(md5($key), 0, $keysize);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L659

Weak Cryptographic Hash (MD5) in Font.php

CWE-327
File Location: library/Zend/Pdf/Font.php:659
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $filePathKey = md5($filePath);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L275

Weak Cryptographic Hash (MD5) in Pop3.php

CWE-327
File Location: library/Zend/Mail/Protocol/Pop3.php:275
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->request("APOP $user " . md5($this->_timestamp . $password));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L443

Weak Cryptographic Hash (MD5) in Openssl.php

CWE-327
File Location: library/Zend/Filter/Encrypt/Openssl.php:443
Security Score:
32 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $fingerprint = md5($details['key']);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L376

Weak Cryptographic Hash (MD5) in Openssl.php

CWE-327
File Location: library/Zend/Filter/Encrypt/Openssl.php:376
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $fingerprints[$count] = md5($details['key']);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L95

Weak Cryptographic Hash (MD5) in Crammd5.php

CWE-327
File Location: library/Zend/Mail/Protocol/Smtp/Auth/Crammd5.php:95
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = pack('H32', md5($key));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L594

Weak Cryptographic Hash (MD5) in Font.php

CWE-327
File Location: library/Zend/Pdf/Font.php:594
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $filePathKey = md5($filePath);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing