CVE-2012-6531

Name of the Vulnerable Software and Affected Versions Zend Framework 1.x versions 1.11.13 and earlier Zend Framework 1.x versions 1.12.x before 1.12.0

Description The issue arises from the improper handling of SimpleXMLElement classes by Zend Dom, Zend Feed, and Zend Soap components in Zend Framework. This allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request. This is known as an XML external entity (XXE) injection attack.

Recommendations For versions prior to 1.11.13, update to version 1.11.13 or later to resolve the issue. For versions 1.12.x prior to 1.12.0, update to version 1.12.0 or later to resolve the issue. As a temporary workaround, consider disabling the XML-RPC request handling in the affected components until a patch is available.