Headline
GHSA-229x-22xc-2f2w: Zendframework Local file disclosure via XXE injection in Zend_XmlRpc
Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
Zendframework Local file disclosure via XXE injection in Zend_XmlRpc
High severity GitHub Reviewed Published Jun 7, 2024 to the GitHub Advisory Database • Updated Jun 7, 2024