Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-4399

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2012-4399
Last Modified 30 Jul 2013 02:28:26
Published 09 Oct 2012 07:55:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-4399

Summary

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Vulnerable Systems

Application

  • Cakefoundation Cakephp 2.1.0

  • Cakefoundation Cakephp 2.1.1

  • Cakefoundation Cakephp 2.1.2

  • Cakefoundation Cakephp 2.1.3

  • Cakefoundation Cakephp 2.1.4

  • Cakefoundation Cakephp 2.2.0

  • Cakefoundation Cakephp 2.2.0-beta


References

OSVDB - 84042

MLIST - [oss-security] 20120903 Re: CVE-request: CakePHP XXE injection

MLIST - [oss-security] 20120903 CVE-request: CakePHP XXE injection

EXPLOIT-DB - 19863

SECUNIA - 49900

BUGTRAQ - 20120716 CakePHP 2.x-2.2.0-RC2 XXE Injection

CONFIRM - http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1


Last Updated: 27 May 2016 11:00:56