Description

The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity Injection attacks (both server and client). The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. Other software that uses the XmlRpc package of Zend Framework is then also vulnerable to XML eXternal Entity Injection attacks!

Remediation

Upgrade to the latest version of Zend Framework.

References

ZF2012-01: Local file disclosure via XXE injection in Zend_XmlRpc

XML eXternal Entity Injection (XXE) on PHP FPM

Related Vulnerabilities

Moodle Improper Access Control Vulnerability (CVE-2016-2159)

XXE in Ivanti Connect Secure, Policy Secure and Neurons (CVE-2024-22024)

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-21365)

Liferay DXP Incorrect Default Permissions Vulnerability (CVE-2022-42128)

Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-6388)

Severity

High

Classification

CVE-2012-3363 CVE-2015-5161 CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N

Tags

Information Disclosure Known Vulnerabilities Acumonitor File Inclusion XXE