CVE-2012-4399

CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references in packagist/cakephp/cakephp

Identifiers

GHSA-5964-pq8r-4q62, CVE-2012-4399

Package Slug

packagist/cakephp/cakephp

Vulnerability

CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references

Description

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Affected Versions

All versions starting from 2.1.0-alpha before 2.1.5, all versions starting from 2.2.0-beta before 2.2.1

Solution

Upgrade to versions 2.1.5, 2.2.1 or above.

Last Modified

2023-01-16

source