CVE-2012-6531
Zend Framework XEE Vulnerability
EPSS 0.91%
Description
(1) `Zend_Dom`, (2) `Zend_Feed`, and (3) `Zend_Soap` in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.
How to fix CVE-2012-6531
To remediate CVE-2012-6531, upgrade the affected package to a fixed version below.
- Debian/zendframework—upgrade to 1.10.6-1squeeze3 or later
- —upgrade to 1.11.13 or later
Is CVE-2012-6531 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.10.6-1squeeze3
- >= 1.0, < 1.11.13