Pádraic Brady

**Name of the Vulnerable Software and Affected Versions** Zend Framework 1.x versions prior to 1.11.13 Zend Framework 1.x versions 1.12.x prior to 1.12.0 **Description** The issue allows remote attackers to cause a denial of service, specifically CPU consumption, via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration. This type of attack is known as an XML Entity Expansion (XEE) attack. **Recommendations** For versions prior to 1.11.13, update to version 1.11.13 or later to resolve the issue. For versions 1.12.x prior to 1.12.0, update to version 1.12.0 or later to resolve the issue. As a temporary workaround, consider restricting the processing of XML DOCTYPE declarations to minimize the risk of exploitation.