GHSA-5964-pq8r-4q62

Suggest an improvement
Source
https://github.com/advisories/GHSA-5964-pq8r-4q62
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5964-pq8r-4q62/GHSA-5964-pq8r-4q62.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5964-pq8r-4q62
Aliases
  • CVE-2012-4399
Published
2022-05-17T05:07:14Z
Modified
2024-04-09T14:17:43Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references
Details

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Database specific
{
    "nvd_published_at": "2012-10-09T23:55:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-14T05:30:14Z"
}
References

Affected packages

Packagist / cakephp/cakephp

Package

Name
cakephp/cakephp
Purl
pkg:composer/cakephp/cakephp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0-alpha
Fixed
2.1.5

Packagist / cakephp/cakephp

Package

Name
cakephp/cakephp
Purl
pkg:composer/cakephp/cakephp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0-beta
Fixed
2.2.1