Zend Framework XEE Vulnerability
Moderate severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Jan 12, 2024
Package
Affected versions
>= 1.0, < 1.11.13
>= 1.12.0-rc1, < 1.12.0
Patched versions
1.11.13
1.12.0
Description
Published by the National Vulnerability Database
Feb 13, 2013
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Jan 12, 2024
Last updated
Jan 12, 2024
(1)
Zend_Dom, (2)Zend_Feed, and (3)Zend_Soapin Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.References