CVE-2012-6531 — XML Entity Expansion in Framework

CWE-776 — XML Entity Expansion6 documents5 sources

Severity

6.4MEDIUMNVD

CNA9.1GHSA9.1OSV9.1

EPSS

0.9%

top 24.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zendframework Zendframework1 Zend Framework

Timeline

PublishedFeb 13

Latest updateMay 1

Description

(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

▶Packagistzendframework/zendframework11.0 — 1.11.13+1

▶NVDzend/zend_framework56 versions+55

🔴Vulnerability Details

GHSA

Zend Framework XEE Vulnerability↗2022-05-17

▶

OSV

Zend Framework XEE Vulnerability↗2022-05-17

▶

CVEList

CVE-2012-6531: (1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1↗2013-02-13

▶

OSV

CVE-2012-6531: (1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1↗2013-02-13

▶

📄Research Papers

arXiv

Graphene: Infrastructure Security Posture Analysis with AI-generated Attack Graphs↗2024-05-01

▶