PT-2015-6789 · Zend+2 · Zendxml+3
Dawid Golunski
·
Published
2015-08-19
·
Updated
2022-05-17
·
CVE-2015-5161
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
ZendXml versions prior to 1.0.1
Zend Framework versions prior to 1.12.14
Zend Framework 2.x versions prior to 2.4.6
Zend Framework 2.5.x versions prior to 2.5.2
Description
The issue allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters when running under PHP-FPM in a threaded environment. This is due to a problem in the
Zend Xml Security::scan function.Recommendations
For ZendXml version prior to 1.0.1, update to version 1.0.1 or later.
For Zend Framework version prior to 1.12.14, update to version 1.12.14 or later.
For Zend Framework 2.x version prior to 2.4.6, update to version 2.4.6 or later.
For Zend Framework 2.5.x version prior to 2.5.2, update to version 2.5.2 or later.
Exploit
Fix
XML Entity Expansion
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Php-Fpm
Suse
Zend Framework
Zendxml