Lucene search

K

Veracode Vulnerability DatabaseVERACODE:4720

HistoryJul 26, 2017 - 11:17 p.m.

XML External Entity (XXE) And XML Entity Expansion (XEE)

2017-07-2623:17:17

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

11

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zendframework and ZendXml is vulnerable to XML external entity (XXE) And XML entity expansion (XEE). These attacks are possible through the Zend_Xml_Security::scan function in ZendXml.

CPENameOperatorVersion
zendframework/zendframeworkle2.5.1
zendframework/zendframeworkle2.4.5
zendframework/zendframework1le1.12.13
zendframework/zendxmleq1.0.0

References

framework.zend.com/security/advisory/ZF2015-06

legalhackers.com/advisories/zend-framework-XXE-vuln.txt

lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html

lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html

lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html

packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html

seclists.org/fulldisclosure/2015/Aug/46

www.debian.org/security/2015/dsa-3340

www.securityfocus.com/bid/76177

framework.zend.com/security/advisory/ZF2015-06

www.exploit-db.com/exploits/37765/

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Related for VERACODE:4720

nessus14 securityvulns2 packetstorm1 openvas13 ubuntucve2 osv3 fedora9 debian3 prion2 exploitpack2 zdt1 github1 mageia2 cve2 exploitdb2 f51 suse1