GHSA-5964-pq8r-4q62, CVE-2012-4399
packagist/cakephp/cakephp
CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
All versions starting from 2.1.0-alpha before 2.1.5, all versions starting from 2.2.0-beta before 2.2.1
Upgrade to versions 2.1.5, 2.2.1 or above.
2023-01-16
source |