Skip to content

Zend Framework XXE Vulnerability

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Jan 12, 2024

Package

composer zendframework/zendframework1 (Composer)

Affected versions

< 1.11.15
>= 1.12.0-rc1, < 1.12.1

Patched versions

1.11.15
1.12.1

Description

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.

References

Published by the National Vulnerability Database May 2, 2013
Published to the GitHub Advisory Database May 17, 2022
Reviewed Jan 12, 2024
Last updated Jan 12, 2024

Severity

Moderate

EPSS score

0.288%
(68th percentile)

CVE ID

CVE-2012-5657

GHSA ID

GHSA-9m5v-vq4f-mrvf

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.