PT-2015-6789 · Zend+2 · Zendxml+3
Dawid Golunski
·
Publicado
2015-08-19
·
Atualizado
2022-05-17
·
CVE-2015-5161
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
ZendXml versions prior to 1.0.1
Zend Framework versions prior to 1.12.14
Zend Framework 2.x versions prior to 2.4.6
Zend Framework 2.5.x versions prior to 2.5.2
Description
The issue allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters when running under PHP-FPM in a threaded environment. This is due to a problem in the
Zend Xml Security::scan function.Recommendations
For ZendXml version prior to 1.0.1, update to version 1.0.1 or later.
For Zend Framework version prior to 1.12.14, update to version 1.12.14 or later.
For Zend Framework 2.x version prior to 2.4.6, update to version 2.4.6 or later.
For Zend Framework 2.5.x version prior to 2.5.2, update to version 2.5.2 or later.
Exploit
Correção
XML Entity Expansion
XXE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Php-Fpm
Suse
Zend Framework
Zendxml