CVE-2012-6532 — XML External Entity (XXE) Injection in Framework

CWE-399 CWE-611 — XML External Entity (XXE) Injection CWE-776 — XML Entity Expansion10 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.5%

top 35.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zend Framework Zendframework Zendframework1 Zendframework Zendopenid +17 more

Timeline

PublishedFeb 13

Latest updateMay 17

Description

(1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages20 packages

▶Packagistzendframework/zendservice-api< 1.0.0

▶Packagistzendframework/zendservice-amazon< 2.0.3

▶Packagistzendframework/zendservice-nirvanix< 2.0.2

▶Packagistzendframework/zendservice-slideshare< 2.0.2

▶Packagistzendframework/zendservice-technorati< 2.0.2

🔴Vulnerability Details

GHSA

Zend Framework XEE Vulnerability↗2022-05-17

▶

OSV

Zend Framework XEE Vulnerability↗2022-05-17

▶

GHSA

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

OSV

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

CVEList

CVE-2014-2683: Zend Framework 1 (ZF1) before 1↗2014-11-16

▶

💬Community

Bugzilla

CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)↗2014-03-27

▶