cbcvebase.
CVE-2012-4399
published 2012-10-09

CVE-2012-4399: The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
12.09%
95.6th percentile
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Affected

5 ranges
VendorProductVersion rangeFixed in
cakefoundationcakephp>= 2.1.0 < 2.1.52.1.5
cakefoundationcakephp>= 2.2.0 < 2.2.12.2.1
cakephpcakephp>= 2.1.0-alpha < 2.1.52.1.5
cakephpcakephp>= 2.2.0-beta < 2.2.12.2.1
debiancakephp

Detection & IOCsextracted from sources · hover to see the quote

command<!DOCTYPE foo [<!ENTITY payload SYSTEM "file:///c:/windows/win.ini">]> &payload;
  • Detect XXE payloads targeting CakePHP's Xml class by inspecting HTTP request bodies for XML DOCTYPE declarations containing SYSTEM entity references to local file paths (e.g., file:///etc/passwd or file:///c:/windows/win.ini).
  • ·The vulnerability exists specifically in CakePHP versions 2.1.x before 2.1.5 and 2.2.x before 2.2.1. Detection efforts should be scoped to environments running these affected version ranges.
  • ·The fix was applied in versions 2.2.1 and 2.1.5; systems patched to these versions or later are not vulnerable and do not require XXE-specific mitigations for this CVE.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.