Critical severity9.8NVD Advisory· Published Dec 29, 2017· Updated May 13, 2026

CVE-2014-4914

Description

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.

Affected products

Zend/Framework
cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*
Range: <1.12.7
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

framework.zend.com/security/advisory/ZF2014-04nvdVendor Advisory
jvn.jp/en/jp/JVN71730320/index.htmlnvdThird Party AdvisoryVDB Entry
openwall.com/lists/oss-security/2014/07/11/4nvdMailing ListThird Party Advisory
secunia.com/advisories/58847nvdThird Party Advisory
www.securityfocus.com/bid/68031nvdThird Party AdvisoryVDB Entry
www.debian.org/security/2015/dsa-3265nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000