CVE-2012-3363
high-risk
Published 2013-02-13
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Do I need to act?
!
55.1% chance of exploitation in next 30 days
EPSS score — higher than 45% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10
Critical
NETWORK
/ LOW complexity
Affected Products (8)
Affected Vendors
References (24)
Vendor Advisory
http://framework.zend.com/security/advisory/ZF2012-01
Mailing List
http://openwall.com/lists/oss-security/2013/03/25/2
Mailing List
http://www.debian.org/security/2012/dsa-2505
Broken Link
http://www.securitytracker.com/id?1027208
Third Party Advisory
https://moodle.org/mod/forum/discuss.php?d=225345
Vendor Advisory
http://framework.zend.com/security/advisory/ZF2012-01
Mailing List
http://openwall.com/lists/oss-security/2013/03/25/2
Mailing List
http://www.debian.org/security/2012/dsa-2505
and 4 more references
63
/ 100
high-risk
Severity
31/34 · Critical
Exploitability
18/34 · Moderate
Exposure
14/34 · Moderate