Zend Zendto
8 CVEs affecting Zend Zendto. Latest disclosed: 2025-04-05. Critical: 2, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-47667 | Critical | 10.0 | 2025-04-05 | An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbit… |
CVE-2020-8986 | Critical | 9.8 | 2020-03-24 | lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain admini… |
CVE-2020-8985 | High | 8.8 | 2020-03-24 | ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality. |
CVE-2020-8984 | High | 7.5 | 2020-03-24 | lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header. |
CVE-2021-27888 | Medium | 6.1 | 2021-03-02 | ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. |
CVE-2018-1000841 | Medium | 6.1 | 2018-12-20 | Zend.To version Prior to 5.15-1 contains a Cross Site Scripting (XSS) vulnerability in The verify.php page that can result in An attacker could execute arbitra… |
CVE-2025-32352 | Medium | 4.8 | 2025-04-05 | A type confusion vulnerability in lib/NSSAuthenticator.php in ZendTo before v5.04-7 allows remote attackers to bypass authentication for users with passwords s… |
CVE-2013-6808 | | 2013-12-28 | Cross-site scripting (XSS) vulnerability in lib/NSSDropoff.php in ZendTo before 4.11-13 allows remote attackers to inject arbitrary web script or HTML via a mo… |