Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yMjl4LTIyeGMtMmYyd84AA80B
Zendframework Local file disclosure via XXE injection in Zend_XmlRpc
Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
Permalink: https://github.com/advisories/GHSA-229x-22xc-2f2wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yMjl4LTIyeGMtMmYyd84AA80B
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Identifiers: GHSA-229x-22xc-2f2w
References:
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-01.yaml
- https://web.archive.org/web/20210620092354/https://framework.zend.com/security/advisory/ZF2012-01
- https://github.com/advisories/GHSA-229x-22xc-2f2w
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,569,545 total
Affected Version Ranges: >= 1.0.0, < 1.11.13
Fixed in: 1.11.13
All affected versions:
All unaffected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20