Описание
Zendframework Local file disclosure via XXE injection in Zend_XmlRpc
Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
Пакеты
Наименование
zendframework/zendframework1
composer
Затронутые версииВерсия исправления
>= 1.0.0, < 1.11.13
1.11.13
8.6 High
CVSS3
Дефекты
CWE-611
8.6 High
CVSS3
Дефекты
CWE-611