Zend_XmlRpc in Zend Framework 1.x prior to 1.11.12 and 1.12.x prior to 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote malicious users to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
zend zend framework 1.12.0 |
||
zend zend framework |
||
fedoraproject fedora 17 |
||
fedoraproject fedora 18 |
||
debian debian linux 6.0 |