CVE-2012-4399

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
cakefoundationcakephp
2.1.0 ≤
𝑥
< 2.1.5
cakefoundationcakephp
2.2.0 ≤
𝑥
< 2.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cakephp
bullseye
2.10.11-2.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cakephp
precise
not-affected
oneiric
not-affected
natty
not-affected
lucid
not-affected
hardy
not-affected
Common Weakness Enumeration
References
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
http://seclists.org/bugtraq/2012/Jul/101
http://secunia.com/advisories/49900
http://www.exploit-db.com/exploits/19863
http://www.openwall.com/lists/oss-security/2012/09/03/1
http://www.openwall.com/lists/oss-security/2012/09/03/2
http://www.osvdb.org/84042
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
http://seclists.org/bugtraq/2012/Jul/101
http://secunia.com/advisories/49900
http://www.exploit-db.com/exploits/19863
http://www.openwall.com/lists/oss-security/2012/09/03/1
http://www.openwall.com/lists/oss-security/2012/09/03/2
http://www.osvdb.org/84042