CVE-2011-1939

CRITICAL

Zend Framework <1.10.9, <1.11.6 - SQL Injection

Title source: llm

Description

SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Anthony Ferrara · phpremotelinux

https://www.exploit-db.com/exploits/35784

View Code ZIP pw:eip

References (7)

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-201408-01.xml

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/47919

[Broken Link] https://access.redhat.com/security/cve/cve-2011-1939

[Exploit, Third Party Advisory] https://bugs.php.net/bug.php?id=47802

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1939

[Vendor Advisory] https://framework.zend.com/security/advisory/ZF2011-02

[Third Party Advisory] https://security-tracker.debian.org/tracker/CVE-2011-1939

Scores

CVSS v3 9.8

EPSS 0.0555

EPSS Percentile 90.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (3)

debian/debian_linux 8.0

php/php < 5.3.6

zend/zend_framework 1.10.0 - 1.10.9

Published Nov 26, 2019

Tracked Since Feb 18, 2026