Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zend Framework < 2.3.6 CSRF/XSRF

Medium

Synopsis

The remote host is using a version of Zend Framework that is vulnerable to a Cross-Site Request Forgery (CSRF or XSRF) attack.

Description

Versions of Zend Framework earlier than 2.3.6 are exposed to a flaw in 'Zend\Validator\Csrf' that is triggered as malformed token identifiers are not properly validated. By tricking a user into following a specially crafted link, a context-dependent attacker can bypass the implemented CSRF protection to have the victim perform unspecified actions.

Solution

Upgrade Zend Framework to version 2.3.6 or later.