Lucene search
HistoryAug 25, 2015 - 5:59 p.m.
CVE-2015-5161
cve-2015-5161
zendxml
zend framework
security vulnerability
xxe
xee
php-fpm
nvd
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.3 High
AI Score
Confidence
High
0.079 Low
EPSS
Percentile
94.3%
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
Affected configurations
Node
zendzend_frameworkMatch1.0.0
ORzendzend_frameworkMatch1.0.0rc1
ORzendzend_frameworkMatch1.0.0rc2
ORzendzend_frameworkMatch1.0.0rc2a
ORzendzend_frameworkMatch1.0.0rc3
ORzendzend_frameworkMatch1.0.1
ORzendzend_frameworkMatch1.0.2
ORzendzend_frameworkMatch1.0.3
ORzendzend_frameworkMatch1.0.4
ORzendzend_frameworkMatch1.5.0rc1
ORzendzend_frameworkMatch1.5.0rc2
ORzendzend_frameworkMatch1.5.0rc3
ORzendzend_frameworkMatch1.5.1
ORzendzend_frameworkMatch1.5.2
ORzendzend_frameworkMatch1.5.3
ORzendzend_frameworkMatch1.6.0
ORzendzend_frameworkMatch1.6.0rc1
ORzendzend_frameworkMatch1.6.0rc2
ORzendzend_frameworkMatch1.6.0rc3
ORzendzend_frameworkMatch1.6.1
ORzendzend_frameworkMatch1.6.2
ORzendzend_frameworkMatch1.7.0
ORzendzend_frameworkMatch1.7.0pl1
ORzendzend_frameworkMatch1.7.0pr
ORzendzend_frameworkMatch1.7.1
ORzendzend_frameworkMatch1.7.2
ORzendzend_frameworkMatch1.7.3
ORzendzend_frameworkMatch1.7.3pl1
ORzendzend_frameworkMatch1.7.4
ORzendzend_frameworkMatch1.7.5
ORzendzend_frameworkMatch1.7.6
ORzendzend_frameworkMatch1.7.7
ORzendzend_frameworkMatch1.7.8
ORzendzend_frameworkMatch1.7.9
ORzendzend_frameworkMatch1.8.0
ORzendzend_frameworkMatch1.8.0a1
ORzendzend_frameworkMatch1.8.0b1
ORzendzend_frameworkMatch1.8.1
ORzendzend_frameworkMatch1.8.2
ORzendzend_frameworkMatch1.8.3
ORzendzend_frameworkMatch1.8.4
ORzendzend_frameworkMatch1.8.4pl1
ORzendzend_frameworkMatch1.8.5
ORzendzend_frameworkMatch1.9.0
ORzendzend_frameworkMatch1.9.0a1
ORzendzend_frameworkMatch1.9.0b1
ORzendzend_frameworkMatch1.9.0rc1
ORzendzend_frameworkMatch1.9.1
ORzendzend_frameworkMatch1.9.2
ORzendzend_frameworkMatch1.9.3
ORzendzend_frameworkMatch1.9.3pl1
ORzendzend_frameworkMatch1.9.4
ORzendzend_frameworkMatch1.9.5
ORzendzend_frameworkMatch1.9.6
ORzendzend_frameworkMatch1.9.7
ORzendzend_frameworkMatch1.9.8
ORzendzend_frameworkMatch1.10.0
ORzendzend_frameworkMatch1.10.0alpha1
ORzendzend_frameworkMatch1.10.0beta1
ORzendzend_frameworkMatch1.10.0rc1
ORzendzend_frameworkMatch1.10.1
ORzendzend_frameworkMatch1.10.2
ORzendzend_frameworkMatch1.10.3
ORzendzend_frameworkMatch1.10.4
ORzendzend_frameworkMatch1.10.5
ORzendzend_frameworkMatch1.10.6
ORzendzend_frameworkMatch1.10.7
ORzendzend_frameworkMatch1.10.8
ORzendzend_frameworkMatch1.10.9
ORzendzend_frameworkMatch1.11.0
ORzendzend_frameworkMatch1.11.0b1
ORzendzend_frameworkMatch1.11.0rc1
ORzendzend_frameworkMatch1.11.1
ORzendzend_frameworkMatch1.11.2
ORzendzend_frameworkMatch1.11.3
ORzendzend_frameworkMatch1.11.4
ORzendzend_frameworkMatch1.11.5
ORzendzend_frameworkMatch1.11.6
ORzendzend_frameworkMatch1.11.7
ORzendzend_frameworkMatch1.11.8
ORzendzend_frameworkMatch1.11.9
ORzendzend_frameworkMatch1.11.10
ORzendzend_frameworkMatch1.11.11
ORzendzend_frameworkMatch1.11.12
ORzendzend_frameworkMatch1.11.13
ORzendzend_frameworkMatch1.12.0
ORzendzend_frameworkMatch1.12.0rc1
ORzendzend_frameworkMatch1.12.0rc2
ORzendzend_frameworkMatch1.12.0rc3
ORzendzend_frameworkMatch1.12.0rc4
ORzendzend_frameworkMatch1.12.1
ORzendzend_frameworkMatch1.12.2
ORzendzend_frameworkMatch1.12.3
ORzendzend_frameworkMatch1.12.4
ORzendzend_frameworkMatch1.12.5
ORzendzend_frameworkMatch1.12.6
ORzendzend_frameworkMatch1.12.7
ORzendzend_frameworkMatch1.12.8
ORzendzend_frameworkMatch1.12.9
ORzendzend_frameworkMatch1.12.10
ORzendzend_frameworkMatch1.12.11
ORzendzend_frameworkMatch1.12.12
ORzendzend_frameworkMatch1.12.13
ORzendzend_frameworkMatch2.0.0
ORzendzend_frameworkMatch2.0.0rc1
ORzendzend_frameworkMatch2.0.0rc2
ORzendzend_frameworkMatch2.0.0rc3
ORzendzend_frameworkMatch2.0.0rc4
ORzendzend_frameworkMatch2.0.0rc5
ORzendzend_frameworkMatch2.0.0rc6
ORzendzend_frameworkMatch2.0.0rc7
ORzendzend_frameworkMatch2.0.1
ORzendzend_frameworkMatch2.0.2
ORzendzend_frameworkMatch2.0.3
ORzendzend_frameworkMatch2.0.4
ORzendzend_frameworkMatch2.0.5
ORzendzend_frameworkMatch2.0.6
ORzendzend_frameworkMatch2.0.7
ORzendzend_frameworkMatch2.1.0
ORzendzend_frameworkMatch2.1.1
ORzendzend_frameworkMatch2.1.2
ORzendzend_frameworkMatch2.1.3
ORzendzend_frameworkMatch2.1.4
ORzendzend_frameworkMatch2.1.5
ORzendzend_frameworkMatch2.1.6
ORzendzend_frameworkMatch2.2.0
ORzendzend_frameworkMatch2.2.1
ORzendzend_frameworkMatch2.2.2
ORzendzend_frameworkMatch2.2.3
ORzendzend_frameworkMatch2.2.4
ORzendzend_frameworkMatch2.2.5
ORzendzend_frameworkMatch2.2.6
ORzendzend_frameworkMatch2.2.7
ORzendzend_frameworkMatch2.2.8
ORzendzend_frameworkMatch2.2.9
ORzendzend_frameworkMatch2.2.10
ORzendzend_frameworkMatch2.3.0
ORzendzend_frameworkMatch2.3.1
ORzendzend_frameworkMatch2.3.2
ORzendzend_frameworkMatch2.3.3
ORzendzend_frameworkMatch2.3.4
ORzendzend_frameworkMatch2.3.5
ORzendzend_frameworkMatch2.3.6
ORzendzend_frameworkMatch2.3.7
ORzendzend_frameworkMatch2.3.8
ORzendzend_frameworkMatch2.3.9
ORzendzend_frameworkMatch2.4.0
ORzendzend_frameworkMatch2.4.1
ORzendzend_frameworkMatch2.4.2
ORzendzend_frameworkMatch2.4.3
ORzendzend_frameworkMatch2.4.4
ORzendzend_frameworkMatch2.4.5
ORzendzend_frameworkMatch2.5.0
ORzendzend_frameworkMatch2.5.1
References
framework.zend.com/security/advisory/ZF2015-06
legalhackers.com/advisories/zend-framework-XXE-vuln.txt
lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html
seclists.org/fulldisclosure/2015/Aug/46
www.debian.org/security/2015/dsa-3340
www.securityfocus.com/bid/76177
www.exploit-db.com/exploits/37765/
Related
nessus
nessus
Debian DSA-3340-1 : zendframework - security update
2015-08-24 00:00:00
Debian DLA-302-1 : zendframework security update
2015-08-28 00:00:00
packetstorm
packetstorm
Zend Framework 2.4.2 / 1.12.13 XXE Injection
2015-08-13 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2015-0371)
2015-10-15 00:00:00
Debian Security Advisory DSA 3340-1 (zendframework - security update)
2015-08-19 00:00:00
Debian: Security Advisory (DLA-302-1)
2023-03-08 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 3340-1] zendframework security update
2015-08-24 00:00:00
friendsofphp
friendsofphp
XXE/XEE vector when using ZendXml on multibyte payloads
2015-08-03 15:13:58
XXE/XEE vector when using ZendXml on multibyte payloads
2015-08-03 15:13:58
XXE/XEE vector when using ZendXml on multibyte payloads
2015-08-03 15:13:58
ubuntucve
ubuntucve
CVE-2015-5161
2015-08-25 00:00:00
CVE-2015-8866
2016-05-22 00:00:00
fedora
fedora
[SECURITY] Fedora 22 Update: php-ZendFramework2-2.4.7-1.fc22
2015-08-27 18:33:26
[SECURITY] Fedora 22 Update: php-guzzle-Guzzle-3.9.3-5.fc22
2015-08-27 18:33:26
[SECURITY] Fedora 21 Update: php-ZendFramework2-2.4.7-1.fc21
2015-08-27 23:52:14
veracode
veracode
XML External Entity (XXE) And XML Entity Expansion (XEE)
2017-07-26 23:17:17
debian
debian
[SECURITY] [DSA 3340-1] zendframework security update
2015-08-19 21:43:10
[SECURITY] [DLA 302-1] zendframework security update
2015-08-27 17:38:42
[SECURITY] [DLA 499-1] php5 security update
2016-05-31 20:07:56
osv
osv
zendframework - security update
2015-08-27 00:00:00
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
2022-05-17 03:16:37
php5 - security update
2016-05-31 00:00:00
mageia
mageia
Updated php-ZendFramework packages fix CVE-2015-5161
2015-09-15 17:55:06
Updated php-ZendFramework packages fix CVE-2015-5161
2015-09-15 17:55:06
cvelist
cvelist
CVE-2015-5161
2015-08-25 17:00:00
CVE-2015-8866
2016-05-22 01:00:00
github
github
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
2022-05-17 03:16:37
exploitpack
exploitpack
Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection
2015-08-13 00:00:00
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection
2015-10-30 00:00:00
zdt
zdt
Zend Framework 2.4.2 / 1.12.13 XXE Injection Vulnerability
2015-08-13 00:00:00
nvd
nvd
CVE-2015-5161
2015-08-25 17:59:03
CVE-2015-8866
2016-05-22 01:59:05
exploitdb
exploitdb
Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection
2015-08-13 00:00:00
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection
2015-10-30 00:00:00
f5
f5
K80922332 : PHP vulnerability CVE-2015-8866
2020-10-02 00:00:00
cve
cve
CVE-2015-8866
2016-05-22 01:59:05
suse
suse
Security update for php53 (important)
2016-06-21 13:08:17
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.3 High
AI Score
Confidence
High
0.079 Low
EPSS
Percentile
94.3%
Related for CVE-2015-5161