logo

Database

XML injection (XXE) In zendframework/zendframework1

Description

Zendframework Local file disclosure via XXE injection in Zend_XmlRpc Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-229x-22xc-2f2w

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-01.yaml2. https://web.archive.org/web/20210620092354/https://framework.zend.com/security/advisory/ZF2012-01

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.