Zend Framework < 2.3.6 CSRF/XSRF
Medium Nessus Network Monitor Plugin ID 9139
SynopsisThe remote host is using a version of Zend Framework that is vulnerable to a Cross-Site Request Forgery (CSRF or XSRF) attack.
DescriptionVersions of Zend Framework earlier than 2.3.6 are exposed to a flaw in 'Zend\Validator\Csrf' that is triggered as malformed token identifiers are not properly validated. By tricking a user into following a specially crafted link, a context-dependent attacker can bypass the implemented CSRF protection to have the victim perform unspecified actions.
SolutionUpgrade Zend Framework to version 2.3.6 or later.