7.5
CVE-2012-4399
- EPSS 12.09%
- Veröffentlicht 09.10.2012 23:55:05
- Zuletzt bearbeitet 16.06.2026 23:44:56
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
LoginThe Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cakefoundation ≫ Cakephp Version >= 2.1.0 < 2.1.5
Cakefoundation ≫ Cakephp Version >= 2.2.0 < 2.2.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 12.09% | 0.956 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
http://seclists.org/bugtraq/2012/Jul/101
http://secunia.com/advisories/49900
http://www.exploit-db.com/exploits/19863
http://www.openwall.com/lists/oss-security/2012/09/03/1
http://www.openwall.com/lists/oss-security/2012/09/03/2
http://www.osvdb.org/84042