CVE-2012-3363

Name of the Vulnerable Software and Affected Versions Zend Framework versions 1.x prior to 1.11.12 Zend Framework versions 1.12.x prior to 1.12.0

Description The issue allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, also known as an XML external entity (XXE) injection attack. This occurs due to the improper handling of SimpleXMLElement classes by the Zend XmlRpc component.

Recommendations For Zend Framework versions 1.x prior to 1.11.12, update to version 1.11.12 or later. For Zend Framework versions 1.12.x prior to 1.12.0, update to version 1.12.0 or later. As a temporary workaround, consider restricting access to the Zend XmlRpc component until a patch is applied.