Name of the Vulnerable Software and Affected Versions Zend Framework 2 (affected versions not specified)

Description The issue arises from the use of ZendMvcRouterHttpQuery in Zend Framework 2, which can lead to overriding already captured routing parameters and bypassing constraints defined in parent routes. This occurs because ZendMvcRouterHttpQuery captures any query parameters into the RouteMatch, and these parameters are merged with any parent routes. As a result, an attacker can manipulate the request URI to execute a different controller than intended, with parameter values that bypass the defined constraints.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.