Published: 26 November 2019
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
CVSS 3 base score: 9.8
per upstream, only one who can exploit this is the author of the code upstream won't backport. Workaround is to use a supported encoding (iso-8859-1/latin1, utf-8 and other encodings using lower 7 bits in an ASCII compatible manner)
actually an issue in zendframework