{"id":"GHSA-7pg4-5233-82jv","summary":"Zend Framework XXE Vulnerability","details":"`Zend_XmlRpc` in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle `SimpleXMLElement` classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.","aliases":["CVE-2012-3363"],"modified":"2024-04-09T14:07:57Z","published":"2022-05-17T04:56:50Z","database_specific":{"cwe_ids":["CWE-611"],"severity":"HIGH","nvd_published_at":"2013-02-13T17:55:00Z","github_reviewed":true,"github_reviewed_at":"2024-01-12T18:22:11Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3363"},{"type":"WEB","url":"https://github.com/zendframework/zf1/commit/281a3251d71ed40a5289ec4afc355eea8e014dc5"},{"type":"PACKAGE","url":"https://github.com/zendframework/zf1"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=225345"},{"type":"WEB","url":"https://web.archive.org/web/20170223044943/http://www.securitytracker.com/id?1027208"},{"type":"WEB","url":"https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt"},{"type":"WEB","url":"http://framework.zend.com/security/advisory/ZF2012-01"},{"type":"WEB","url":"http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284"},{"type":"WEB","url":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html"},{"type":"WEB","url":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2013/03/25/2"},{"type":"WEB","url":"http://www.debian.org/security/2012/dsa-2505"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/06/26/2"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/06/26/4"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/06/27/2"},{"type":"WEB","url":"http://www.securitytracker.com/id?1027208"}],"affected":[{"package":{"name":"zendframework/zendframework1","ecosystem":"Packagist","purl":"pkg:composer/zendframework/zendframework1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.0.0"},{"fixed":"1.11.12"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7pg4-5233-82jv/GHSA-7pg4-5233-82jv.json"}},{"package":{"name":"zendframework/zendframework1","ecosystem":"Packagist","purl":"pkg:composer/zendframework/zendframework1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.12.0-rc1"},{"fixed":"1.12.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7pg4-5233-82jv/GHSA-7pg4-5233-82jv.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}