Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2012-3363 — XML External Entity (XXE) Injection in Framework
Severity
9.1CRITICALNVD
NVD6.4
EPSS
55.1%
top 1.93%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedFeb 13
Latest updateMay 17
Description
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2
Affected Packages2 packages
Also affects: Debian Linux 6.0, Fedora 17, 18
Patches
🔴Vulnerability Details
8💥Exploits & PoCs
1📐Framework References
1💬Community
7Bugzilla▶
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-17]↗2013-03-25
Bugzilla▶
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-18]↗2013-03-25
Bugzilla▶
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [epel-6]↗2013-03-25
Bugzilla▶
CVE-2012-3363 php-ZendFramework: File disclosure via XXE injection in Zend_XMLRPC (ZF2012-01)↗2012-06-26