CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
44.4%
A flaw was found in PHP due to inadequate validation of user-supplied XML input. By leveraging specially crafted XML code, a remote attacker could obtain sensitive information by viewing the contents of arbitrary files on the system or initiating requests to external systems. This issue may allow unauthorized access to sensitive data and the potential for network scanning of internal and external infrastructure.
To avoid XML external entity attacks, either disable external entity loading if it's not necessary for your application or change the default external entity loader by using libxml_set_external_entity_loader
. This can be used to suppress the expansion of arbitrary external entities. For PHP versions prior to 8.0, the following should be set when using the default PHP XML parser in order to prevent XXE:
<https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php>