Zendframework Local file disclosure via XXE injection in Zend_XmlRpc

2024-06-0721:39:43

CWE-611

GitHub Advisory Database

github.com

zend_xmlrpc

xxe injection

simplexmlelement

xml-rpc

doctype

file disclosure

tcp connections

7.5 High

AI Score

Confidence

Low

JSON

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

Affected configurations

Vulners

Node

zendframeworkzendframework1Range<1.11.13

CPENameOperatorVersion
zendframework/zendframework1lt1.11.13

CPE	Name	Operator	Version
	zendframework/zendframework1	lt	1.11.13

References

github.com/advisories/GHSA-229x-22xc-2f2w

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-01.yaml

web.archive.org/web/20210620092354/https://framework.zend.com/security/advisory/ZF2012-01

7.5 High

AI Score

Confidence

Low

JSON