CVE-2012-4399
HIGH7.5EPSS 24.9%CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references
發布日:2022/5/17修改日:2024/4/9
描述
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
受影響套件(1)
- Packagist/cakephp/cakephp>= 2.1.0-alpha, < 2.1.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2012-4399
- PATCHhttps://github.com/cakephp/cakephp
- WEBhttp://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
- WEBhttp://seclists.org/bugtraq/2012/Jul/101
- WEBhttp://secunia.com/advisories/49900
- WEBhttp://www.exploit-db.com/exploits/19863
- WEBhttp://www.openwall.com/lists/oss-security/2012/09/03/1
- WEBhttp://www.openwall.com/lists/oss-security/2012/09/03/2
- WEBhttp://www.osvdb.org/84042