ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
Moderate severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Feb 7, 2024
Description
Published by the National Vulnerability Database
Aug 25, 2015
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Aug 3, 2023
Last updated
Feb 7, 2024
The
Zend_Xml_Security::scan
in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.References