In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a βwordβ for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHPβs internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.
Vendor | Product | Version | CPE |
---|---|---|---|
zendframework | zendframework1 | * | cpe:2.3:a:zendframework:zendframework1:*:*:*:*:*:*:*:* |