Name of the Vulnerable Software and Affected Versions: Zend Framework versions prior to the fixed version

Description: The issue concerns the generation of CAPTCHA challenges. Specifically, the Zend Captcha Word (v1) and ZendCaptchaWord (v2) components use PHP's internal array rand() function to select a sequence of random letters from a character set. This function does not provide sufficient entropy due to its reliance on rand() instead of more secure methods like openssl pseudo random bytes(). As a result, an attacker might be able to brute force the random number generation, potentially leading to information disclosure.

Recommendations: For versions prior to the fixed version, consider using a more cryptographically secure method for generating random numbers, such as openssl pseudo random bytes(), to replace the array rand() function in Zend Captcha Word and ZendCaptchaWord components. At the moment, there is no information about a newer version that contains a fix for this vulnerability.