XML External Entity Vulnerability in Zend Framework Products
CVE-2014-2682

Currently unrated

Key Information:

Vendor: Zend
Status: Zendrest
Vendor: CVE Published:; 16 November 2014

What is CVE-2014-2682?

The vulnerability in Zend Framework arises from improper handling of the libxml_disable_entity_loader setting when using PHP-FPM. This misconfiguration can lead to XML External Entity (XXE) attacks, enabling remote threat actors to exploit XML external entity declarations to access sensitive files or conduct further attacks on the system. It is crucial for developers and system administrators to implement adequate security measures and ensure that their Zend Framework products are updated to the latest versions to mitigate the risk associated with this vulnerability.

References

http://seclists.org/oss-sec/2014/q2/0

mailing-listx_refsource_MLIST

http://www.mandriva.com/security/advisories?name=MDVSA-20...

vendor-advisoryx_refsource_MANDRIVA

http://advisories.mageia.org/MGASA-2014-0151.html

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 16, 2014
Vulnerability Reserved
Mar 30, 2014