XML External Entity Bypass in Zend Framework by Zend Technologies
CVE-2015-5161

Currently unrated

Key Information:

Vendor: Zend
Status: Zend Framework
Vendor: CVE Published:; 25 August 2015

What is CVE-2015-5161?

The vulnerability in Zend Framework allows remote attackers to exploit XML external entity injection (XXE) by bypassing security checks in the XML processing. Specifically, when the Zend_Xml_Security::scan function is executed in a PHP-FPM environment with threading, it can be manipulated using multibyte encoded characters to conduct unauthorized actions or access sensitive data due to improper handling of XML entities. This flaw is critical for applications that utilize XML processing without adequate security measures.

References

http://packetstormsecurity.com/files/133068/Zend-Framewor...

x_refsource_MISC

http://lists.fedoraproject.org/pipermail/package-announce...

vendor-advisoryx_refsource_FEDORA

http://legalhackers.com/advisories/zend-framework-XXE-vul...

x_refsource_MISC

EPSS Score

35% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 25, 2015
Vulnerability Reserved
Jul 1, 2015