[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247974

 
 

909

 
 

194654

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2015-5161Date: (C)2015-08-28   (M)2023-12-22


The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 6.8
Exploit Score: 8.6
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
http://seclists.org/fulldisclosure/2015/Aug/46
EXPLOIT-DB-37765
BID-76177
DSA-3340
FEDORA-2015-13314
FEDORA-2015-13488
FEDORA-2015-13529
http://framework.zend.com/security/advisory/ZF2015-06
http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html

CPE    140
cpe:/a:zend:zend_framework:1.10.9
cpe:/a:zend:zend_framework:1.10.8
cpe:/a:zend:zend_framework:1.10.7
cpe:/a:zend:zend_framework:1.10.6
...
OVAL    8
oval:org.secpod.oval:def:109687
oval:org.secpod.oval:def:602208
oval:org.secpod.oval:def:109472
oval:org.secpod.oval:def:109475
...

© SecPod Technologies