Zend\Validator\Csrf, starting in the Zend Framework 2.3 series, was not correctly identifying null or mal-formatted token identifiers, leading to false positive validations, and thus potentially allowing for Cross-Site Request Forgery vectors.
A patch was written that correctly identifies invalid token identifiers, ensuring that they invalidate the provided value.
It was discovered that the vulnerability was introduced specifically in the 2.3 series, and thus no patch was necessary against the 2.2 series.
Created php-ZendFramework2 tracking bugs for this issue:
Affects: fedora-all [bug 1207782]
Affects: epel-all [bug 1207783]
All dependent bugs have been closed, can this tracking bug be closed as well?
Yep, this one can (and should) be closed.