9.1

CVE-2012-3363

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZendZend Framework Version >= 1.0.0 < 1.11.12
ZendZend Framework Version1.12.0 Updaterc1
ZendZend Framework Version1.12.0 Updaterc2
ZendZend Framework Version1.12.0 Updaterc3
ZendZend Framework Version1.12.0 Updaterc4
FedoraprojectFedora Version17
FedoraprojectFedora Version18
DebianDebian Linux Version6.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 50.25% 0.988
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 6.4 10 4.9
AV:N/AC:L/Au:N/C:P/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

http://framework.zend.com/security/advisory/ZF2012-01
Vendor Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
Patch
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
Mailing List
http://openwall.com/lists/oss-security/2013/03/25/2
Mailing List
http://www.debian.org/security/2012/dsa-2505
Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/2
Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/4
Mailing List
http://www.openwall.com/lists/oss-security/2012/06/27/2
Mailing List
http://www.securitytracker.com/id?1027208
Third Party Advisory
Broken Link
VDB Entry
https://moodle.org/mod/forum/discuss.php?d=225345
Third Party Advisory
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
Broken Link