CVE-2012-3363
HIGH7.3EPSS 55.1%zendframework - information disclosure
Published: 5/17/2022Modified: 3/9/2026
Description
`Zend_XmlRpc` in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle `SimpleXMLElement` classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Affected packages (2)
- Debian/zendframeworkfrom 0, < 1.10.6-1squeeze1
- Packagist/zendframework/zendframework1>= 1.0.0, < 1.11.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (16)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2012-3363
- PATCHhttps://github.com/zendframework/zf1
- WEBhttp://framework.zend.com/security/advisory/ZF2012-01
- WEBhttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
- WEBhttp://openwall.com/lists/oss-security/2013/03/25/2
- WEBhttps://github.com/zendframework/zf1/commit/281a3251d71ed40a5289ec4afc355eea8e014dc5
- WEBhttps://moodle.org/mod/forum/discuss.php?d=225345
- WEBhttps://web.archive.org/web/20170223044943/http://www.securitytracker.com/id?1027208
- WEBhttps://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
- WEBhttp://www.debian.org/security/2012/dsa-2505
- WEBhttp://www.openwall.com/lists/oss-security/2012/06/26/2
- WEBhttp://www.openwall.com/lists/oss-security/2012/06/26/4
- WEBhttp://www.openwall.com/lists/oss-security/2012/06/27/2
- WEBhttp://www.securitytracker.com/id?1027208