FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2012-3363

This CVE name corresponds to:

Entered Topic
2012-10-16 Zend Framework -- Multiple vulnerabilities via XXE injection

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2012-3363 at cve.mitre.org

Details

Type Candidate
Name CVE-2012-3363
Phase Assigned(20120614)

Description

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

References

Source Reference
MLIST [oss-security] 20120626 Re: XXE in Zend
MLIST [oss-security] 20120626 XXE in Zend
MLIST [oss-security] 20120627 Re: XXE in Zend
MLIST [oss-security] 20130325 Moodle security notifications public
MISC https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
CONFIRM http://framework.zend.com/security/advisory/ZF2012-01
CONFIRM http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
CONFIRM https://moodle.org/mod/forum/discuss.php?d=225345
DEBIAN DSA-2505
FEDORA FEDORA-2013-4387
FEDORA FEDORA-2013-4404
SECTRACK 1027208

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.