CVE-2012-4399

HIGH

Cakefoundation Cakephp < 2.1.5 - XXE

Title source: rule

Description

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Pawel Wylecial · textwebappsphp

https://www.exploit-db.com/exploits/19863

View Code ZIP pw:eip

References (7)

[Broken Link, Vendor Advisory] http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/bugtraq/2012/Jul/101

[Broken Link, Vendor Advisory] http://secunia.com/advisories/49900

[Exploit, Third Party Advisory, VDB Entry] http://www.exploit-db.com/exploits/19863

[Mailing List] http://www.openwall.com/lists/oss-security/2012/09/03/1

[Mailing List] http://www.openwall.com/lists/oss-security/2012/09/03/2

[Broken Link] http://www.osvdb.org/84042

Scores

CVSS v3 7.5

EPSS 0.2492

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-611

Status published

Products (2)

cakefoundation/cakephp 2.1.0 - 2.1.5

cakephp/cakephp 2.1.0-alpha - 2.1.5Packagist

Published Oct 09, 2012

Tracked Since Feb 18, 2026