CVE-2013-1824 — XML External Entity (XXE) Injection in Apple MAC OS X

CWE-611 — XML External Entity (XXE) Injection CWE-200 — Sensitive Information Exposure7 documents4 sources

Severity

5.0MEDIUMNVD

NVD4.3

EPSS

2.1%

top 16.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X PHP Redhat Enterprise Linux

Timeline

PublishedSep 16

Latest updateMay 17

Description

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDphp/php5.4.0 — 5.4.12+127

▶NVDapple/mac_os_x10.0.0 — 10.8.5

Also affects: Enterprise Linux 5, 6.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-g625-6qfm-gm8r: The SOAP parser in PHP before 5↗2022-05-17

▶

GHSA

GHSA-vhhc-mr4w-pmw6: The SOAP parser in PHP before 5↗2022-05-14

▶

📋Vendor Advisories

Red Hat

php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files↗2013-02-20

▶

Red Hat

CVE-2013-1824: The SOAP parser in PHP before 5↗

▶

💬Community

Bugzilla

CVE-2013-1643 php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files↗2013-03-05

▶