CVE-2012-6531

Zend Framework 1.x < 1.11.13 and 1.12.x < 1.12.0 - XML External Entity Injection via SimpleXMLElement Handling

Title source: llm
STIX 2.1

Description

(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.

References (6)

Core 6
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/06/27/2
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2505
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/06/26/4
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/06/26/2
Vendor Advisory x_refsource_confirm
http://framework.zend.com/security/advisory/ZF2012-01

Scores

EPSS 0.0252
EPSS Percentile 83.0%

Details

CWE
CWE-20
Status published
Products (50)
zend/zend_framework 1.0.4
zend/zend_framework 1.5.0
zend/zend_framework 1.5.1
zend/zend_framework 1.5.2
zend/zend_framework 1.5.3
zend/zend_framework 1.6.0
zend/zend_framework 1.6.1
zend/zend_framework 1.6.2
zend/zend_framework 1.7.0
zend/zend_framework 1.7.1
... and 40 more
Published Feb 13, 2013
Tracked Since Feb 18, 2026