Zend Framework < 1.12.7 SQL Injection
High Nessus Network Monitor Plugin ID 9149
SynopsisThe remote host is using a version of Zend Framework that is vulnerable to SQL Injection (SQLi).
DescriptionVersions of Zend Framework earlier than 1.12.7 contain a flaw that may allow an SQL injection attack. The issue is due to the 'Zend_Db_Select::order()' function not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
SolutionUpgrade Zend Framework to version 1.12.7 or later.