Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01OTY0LXBxOHItNHE2Ms4AAfIB
CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Permalink: https://github.com/advisories/GHSA-5964-pq8r-4q62JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OTY0LXBxOHItNHE2Ms4AAfIB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 8 months ago
Identifiers: GHSA-5964-pq8r-4q62, CVE-2012-4399
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-4399
- http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
- http://seclists.org/bugtraq/2012/Jul/101
- http://secunia.com/advisories/49900
- http://www.exploit-db.com/exploits/19863
- http://www.openwall.com/lists/oss-security/2012/09/03/1
- http://www.openwall.com/lists/oss-security/2012/09/03/2
- http://www.osvdb.org/84042
- https://github.com/advisories/GHSA-5964-pq8r-4q62
Affected Packages
packagist:cakephp/cakephp
Versions: >= 2.2.0-beta, < 2.2.1, >= 2.1.0-alpha, < 2.1.5Fixed in: 2.2.1, 2.1.5