CVE-2015-5161
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/08/2015
Last modified:
12/04/2025
Description
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
Impact
Base Score 2.0
6.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:zend:zend_framework:1.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.0:rc2a:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.5.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.5.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.5.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.5.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:zend:zend_framework:1.5.3:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://framework.zend.com/security/advisory/ZF2015-06
- http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
- http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html
- http://seclists.org/fulldisclosure/2015/Aug/46
- http://www.debian.org/security/2015/dsa-3340
- http://www.securityfocus.com/bid/76177
- https://www.exploit-db.com/exploits/37765/
- http://framework.zend.com/security/advisory/ZF2015-06
- http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
- http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html
- http://seclists.org/fulldisclosure/2015/Aug/46
- http://www.debian.org/security/2015/dsa-3340
- http://www.securityfocus.com/bid/76177
- https://www.exploit-db.com/exploits/37765/