CVE-2012-4399

HIGH

CakePHP 2.1.0-2.1.4 and 2.1.0-alpha-2.1.4 - XML External Entity Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4399. PoCs published by Pawel Wylecial.

AI-analyzed exploit summary This exploit demonstrates an XXE (XML External Entity) injection vulnerability in CakePHP versions 2.x to 2.2.0-RC2. It allows an attacker to read arbitrary files from the server by crafting a malicious XML payload.

Description

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Pawel Wylecial · textwebappsphp

https://www.exploit-db.com/exploits/19863

View Code ZIP pw:eip

This exploit demonstrates an XXE (XML External Entity) injection vulnerability in CakePHP versions 2.x to 2.2.0-RC2. It allows an attacker to read arbitrary files from the server by crafting a malicious XML payload.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: CakePHP 2.x - 2.2.0-RC2

No auth needed

Prerequisites: Ability to send crafted XML requests to the target application

MITRE ATT&CK