CVE-2014-2682 — XML External Entity (XXE) Injection in Framework

CWE-611 — XML External Entity (XXE) Injection CWE-776 — XML Entity Expansion5 documents5 sources

Severity

6.8MEDIUMNVD

CNA5.0GHSA5.0OSV5.0

EPSS

1.8%

top 17.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zend Framework Zendframework Zendframework1 Zendframework Zendopenid +17 more

Timeline

PublishedNov 16

Latest updateMay 14

Description

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) at…

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages20 packages

▶Packagistzendframework/zendrest< 2.0.2

▶Packagistzendframework/zendopenid< 2.0.2

▶Packagistzendframework/zendservice-slideshare< 2.0.2

▶NVDzend/zend_framework2.1.0 — 2.1.6+2

▶Packagistzendframework/zendframework1< 1.12.4

🔴Vulnerability Details

OSV

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

GHSA

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

CVEList

CVE-2014-2682: Zend Framework 1 (ZF1) before 1↗2014-11-16

▶

💬Community

Bugzilla

CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)↗2014-03-27

▶