logo

Database

XML injection (XXE) In zendframework/zendframework1

Description

ZendFramework potential XML eXternal Entity injection vectors Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.

A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-4j9x-g4x8-vcmf

References

1. https://framework.zend.com/security/advisory/ZF2012-052. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-05.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.