CVE-2014-2681 — XML External Entity (XXE) Injection in Framework

CWE-611 — XML External Entity (XXE) Injection5 documents5 sources

Severity

6.4MEDIUMNVD

CNA5.0GHSA5.0OSV5.0

EPSS

3.0%

top 13.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zend Framework Zendframework Zendframework1 Zendframework Zendopenid +17 more

Timeline

PublishedNov 16

Latest updateMay 14

Description

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Ent…

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages20 packages

▶Packagistzendframework/zendrest< 2.0.2

▶Packagistzendframework/zendopenid< 2.0.2

▶Packagistzendframework/zendservice-api< 1.0.0

▶Packagistzendframework/zendservice-amazon< 2.0.3

▶Packagistzendframework/zendservice-nirvanix< 2.0.2

🔴Vulnerability Details

GHSA

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

OSV

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

CVEList

CVE-2014-2681: Zend Framework 1 (ZF1) before 1↗2014-11-16

▶

💬Community

Bugzilla

CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)↗2014-03-27

▶