Name of the Vulnerable Software and Affected Versions Zend Framework versions prior to the fixed version

Description The issue concerns the generation of CAPTCHA challenges. Specifically, the Zend Captcha Word (v1) and ZendCaptchaWord (v2) components use PHP's internal array rand() function to select a sequence of random letters, which does not provide sufficient entropy due to its reliance on rand() instead of more secure methods like openssl pseudo random bytes(). This could potentially lead to information disclosure if an attacker can brute force the random number generation.

Recommendations For versions prior to the fixed version, consider using a more cryptographically secure method for generating random numbers, such as openssl pseudo random bytes(), to replace the array rand() function in Zend Captcha Word and ZendCaptchaWord components. At the moment, there is no information about a newer version that contains a fix for this vulnerability.