Vulnerability CVE-2015-5161
Published: 2015-08-25

Description:
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

See advisories in our WLB2 database:
Topic
Author
Date
High
Zend Framework 2.4.2 / 1.12.13 XXE Injection
Dawid Golunski
13.08.2015

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
ZEND -> Zend framework 

 References:
http://framework.zend.com/security/advisory/ZF2015-06
http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html
http://seclists.org/fulldisclosure/2015/Aug/46
http://www.debian.org/security/2015/dsa-3340
http://www.securityfocus.com/bid/76177
https://www.exploit-db.com/exploits/37765/
Copyright 2024, cxsecurity.com

 

Back to Top