High severity8.8NVD Advisory· Published Jun 8, 2017· Updated May 13, 2026

CVE-2015-1786

Description

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
zendframework/zendframeworkPackagist	>= 2.3.0, < 2.3.6	2.3.6

Affected products

Zend/Framework6 versions
cpe:2.3:a:zend:zend_framework:2.3.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:zend:zend_framework:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:2.3.5:*:*:*:*:*:*:*

Patches

213d2c490f55

Fix CSRF Validator

https://github.com/zendframework/zendframeworkEnrico ZimuelMar 11, 2015via ghsa

commit

2 files changed · +30 −4

library/Zend/Validator/Csrf.php+6 −3 modified

@@ -121,7 +121,10 @@ public function isValid($value, $context = null)
         $tokenId = $this->getTokenIdFromHash($value);
         $hash = $this->getValidationToken($tokenId);
 
-        if ($this->getTokenFromHash($value) !== $this->getTokenFromHash($hash)) {
+        $tokenFromValue = $this->getTokenFromHash($value);
+        $tokenFromHash = $this->getTokenFromHash($hash);
+
+        if (!$tokenFromValue || !$tokenFromHash || ($tokenFromValue !== $tokenFromHash)) {
             $this->error(self::NOT_SAME);
             return false;
         }
@@ -331,7 +334,7 @@ protected function getValidationToken($tokenId = null)
             return $this->formatHash($session->tokenList[$tokenId], $tokenId);
         }
 
-        return null;
+        return;
     }
 
     /**
@@ -363,7 +366,7 @@ protected function getTokenIdFromHash($hash)
         $data = explode('-', $hash);
 
         if (! isset($data[1])) {
-            return null;
+            return;
         }
 
         return $data[1];

tests/ZendTest/Validator/CsrfTest.php+24 −1 modified

@@ -200,7 +200,7 @@ public function testMultipleValidatorsSharingContainerGenerateDifferentHashes()
 
         $hashOne = $validatorOne->getHash();
         $hashTwo = $validatorTwo->getHash();
-        $this->assertNotEquals($hashOne , $hashTwo);
+        $this->assertNotEquals($hashOne, $hashTwo);
     }
 
     public function testCanValidateAnyHashWithinTheSameContainer()
@@ -260,4 +260,27 @@ public function testCanValidateHasheWithoutId()
 
         $this->assertTrue($this->validator->isValid($bareToken));
     }
+
+    public function fakeValuesDataProvider()
+    {
+        return array(
+            array(''),
+            array('-fakeTokenId'),
+            array('fakeTokenId-fakeTokenId'),
+            array('fakeTokenId-'),
+            array('fakeTokenId'),
+            array(md5(uniqid()) . '-'),
+            array(md5(uniqid()) . '-' . md5(uniqid())),
+            array('-' . md5(uniqid()))
+        );
+    }
+
+    /**
+     * @dataProvider fakeValuesDataProvider
+     */
+    public function testWithFakeValues($value)
+    {
+        $validator = new Csrf();
+        $this->assertFalse($validator->isValid($value));
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
framework.zend.com/changelog/2.3.6nvdRelease NotesVendor AdvisoryWEB
github.com/advisories/GHSA-gwwq-54qp-9pgpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-1786ghsaADVISORY
framework.zend.com/security/advisory/ZF2015-03ghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-1786.yamlghsaWEB
github.com/zendframework/zendframework/commit/213d2c490f55331ba4e5e3884bd81d13d1eb0aeeghsaWEB
github.com/zendframework/zf-web/blob/f97fe5c3cf6c51df7502237c6342511802c8df22/module/Security/view/security/advisory/ZF2015-03.phtmlghsaWEB
github.com/zendframework/zf3-web/blob/5852ab5bfd47285e6b46f9e7b13250629b3e372e/data/advisories/ZF2015-03.mdghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000