CVE-2012-3363

Severity

64%

Complexity

99%

Confidentiality

81%

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

CVSS 2.0 Base Score 6.4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N).

Overview

Type

Zend Framework

First reported 12 years ago

2013-02-13 17:55:00

Last updated 11 years ago

2013-12-05 05:15:00

Affected Software

Zend Framework 1.0.0

1.0.0

Zend Framework 1.0.0 Release Candidate 1

1.0.0

Zend Framework 1.0.0 Release Candidate

1.0.0

Zend Framework 1.0.0 Release Candidate 2a

1.0.0

Zend Framework 1.0.0 Release Candidate 3

1.0.0

Zend Framework 1.0.1

1.0.1

Zend Framework 1.0.2

1.0.2

Zend Framework 1.0.3

1.0.3

Zend Framework 1.0.4

1.0.4

Zend Framework 1.5.0

1.5.0

Zend Framework 1.5.0pl

1.5.0

Zend Framework 1.5.0PR

1.5.0

Zend Framework 1.5.0 Release Candidate 1

1.5.0

Zend Framework 1.5.0 Release Candidate 2

1.5.0

Zend Framework 1.5.0 Release Candidate 3

1.5.0

Zend Framework 1.5.1

1.5.1

Zend Framework 1.5.2

1.5.2

Zend Framework 1.5.3

1.5.3

Zend Framework 1.6.0

1.6.0

Zend Framework 1.6.0 Release Candidate 1

1.6.0

Zend Framework 1.6.0 Release Candidate 2

1.6.0

Zend Framework 1.6.0 Release Candidate 3

1.6.0

Zend Framework 1.6.1

1.6.1

Zend Framework 1.6.2

1.6.2

Zend Framework 1.7.0

1.7.0

Zend Framework 1.7.0pl1

1.7.0

Zend Framework 1.7.0pr

1.7.0

Zend Framework 1.7.1

1.7.1

Zend Framework 1.7.2

1.7.2

Zend Framework 1.7.3

1.7.3

Zend Framework 1.7.3pl1

1.7.3

Zend Framework 1.7.4

1.7.4

Zend Framework 1.7.5

1.7.5

Zend Framework 1.7.6

1.7.6

Zend Framework 1.7.7

1.7.7

Zend Framework 1.7.8

1.7.8

Zend Framework 1.7.9

1.7.9

Zend Framework 1.8.0

1.8.0

Zend Framework 1.8.0a1

1.8.0

Zend Framework 1.8.0b1

1.8.0

Zend Framework 1.8.1

1.8.1

Zend Framework 1.8.2

1.8.2

Zend Framework 1.8.3

1.8.3

Zend Framework 1.8.4

1.8.4

Zend Framework 1.8.4pl1

1.8.4

Zend Framework 1.8.5

1.8.5

Zend Framework 1.9.0

1.9.0

Zend Framework 1.9.0a1

1.9.0

Zend Framework 1.9.0b1

1.9.0

Zend Framework 1.9.0rc1

1.9.0

Zend Framework 1.9.1

1.9.1

Zend Framework 1.9.2

1.9.2

Zend Framework 1.9.3

1.9.3

Zend Framework 1.9.3pl1

1.9.3

Zend Framework 1.9.4

1.9.4

Zend Framework 1.9.5

1.9.5

Zend Framework 1.9.6

1.9.6

Zend Framework 1.9.7

1.9.7

Zend Framework 1.9.8

1.9.8

Zend Framework 1.10.0

1.10.0

Zend Framework 1.10.0alpha1

1.10.0

Zend Framework 1.10.0beta1

1.10.0

Zend Framework 1.10.0 Release Candidate 1

1.10.0

Zend Framework 1.10.1

1.10.1

Zend Framework 1.10.2

1.10.2

Zend Framework 1.10.3

1.10.3

Zend Framework 1.10.4

1.10.4

Zend Framework 1.10.5

1.10.5

Zend Framework 1.10.6

1.10.6

Zend Framework 1.10.7

1.10.7

Zend Framework 1.10.8

1.10.8

Zend Framework 1.10.9

1.10.9

Zend Framework 1.11.0

1.11.0

Zend Framework 1.11.0b1

1.11.0

Zend Framework 1.11.0 Release Candidate 1

1.11.0

Zend Framework 1.11.1

1.11.1

Zend Framework 1.11.2

1.11.2

Zend Framework 1.11.3

1.11.3

Zend Framework 1.11.4

1.11.4

Zend Framework 1.11.5

1.11.5

Zend Framework 1.11.6

1.11.6

Zend Framework 1.11.7

1.11.7

Zend Framework 1.11.8

1.11.8

Zend Framework 1.11.9

1.11.9

Zend Framework 1.11.10

1.11.10

Zend Framework 1.11.11

1.11.11

Zend Framework 1.12.0 Release Candidate 1

1.12.0

Zend Framework 1.12.0 Release Candidate 2

1.12.0

Zend Framework 1.12.0 Release Candidate 3

1.12.0

Zend Framework 1.12.0 Release Candidate 4

1.12.0

References

http://framework.zend.com/security/advisory/ZF2012-01

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284

FEDORA-2013-4404

FEDORA-2013-4387

[oss-security] 20130325 Moodle security notifications public

DSA-2505

[oss-security] 20120626 XXE in Zend

[oss-security] 20120626 Re: XXE in Zend

[oss-security] 20120627 Re: XXE in Zend

1027208

https://moodle.org/mod/forum/discuss.php?d=225345

https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.