CVE-2012-4399
HIGH7.5EPSS 24.9%CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references
Published: 5/17/2022Modified: 4/9/2024
Also known as:GHSA-5964-pq8r-4q62
Description
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Affected packages (1)
- Packagist/cakephp/cakephp>= 2.1.0-alpha, < 2.1.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2012-4399
- PATCHhttps://github.com/cakephp/cakephp
- WEBhttp://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
- WEBhttp://seclists.org/bugtraq/2012/Jul/101
- WEBhttp://secunia.com/advisories/49900
- WEBhttp://www.exploit-db.com/exploits/19863
- WEBhttp://www.openwall.com/lists/oss-security/2012/09/03/1
- WEBhttp://www.openwall.com/lists/oss-security/2012/09/03/2
- WEBhttp://www.osvdb.org/84042