Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-4399 — XML External Entity (XXE) Injection in Cakephp

CWE-611 — XML External Entity (XXE) Injection6 documents6 sources

Severity

7.5HIGHNVD

EPSS

24.9%

top 3.83%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cakefoundation Cakephp Cakephp Debian Cakephp

Timeline

PublishedOct 9

Latest updateMay 17

Description

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Packagistcakephp/cakephp2.1.0-alpha — 2.1.5+1

▶NVDcakefoundation/cakephp2.1.0 — 2.1.5+1

▶debiandebian/cakephp

🔴Vulnerability Details

GHSA

CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references↗2022-05-17

▶

OSV

CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references↗2022-05-17

▶

💥Exploits & PoCs

Exploit-DB

CakePHP 2.x < 2.2.0-RC2 - XML External Entity Injection↗2012-07-16

▶

📋Vendor Advisories

Debian

CVE-2012-4399: cakephp - The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote...↗2012

▶

📐Framework References

CWE

Improper Restriction of XML External Entity Reference↗

▶