CVE-2012-6531
Zend Framework 1.x < 1.11.13 and 1.12.x < 1.12.0 - XML External Entity Injection via SimpleXMLElement Handling
Title source: llmDescription
(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.
References (6)
Core 6
Core References
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/06/27/2
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2505
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/06/26/4
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/06/26/2
Vendor Advisory x_refsource_confirm
http://framework.zend.com/security/advisory/ZF2012-01
Various Sources x_refsource_misc
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
Scores
EPSS
0.0252
EPSS Percentile
83.0%
Details
CWE
CWE-20
Status
published
Products (50)
zend/zend_framework
1.0.4
zend/zend_framework
1.5.0
zend/zend_framework
1.5.1
zend/zend_framework
1.5.2
zend/zend_framework
1.5.3
zend/zend_framework
1.6.0
zend/zend_framework
1.6.1
zend/zend_framework
1.6.2
zend/zend_framework
1.7.0
zend/zend_framework
1.7.1
... and 40 more
Published
Feb 13, 2013
Tracked Since
Feb 18, 2026