XXE attack in PHP - #VU15775
Published: November 9, 2018
Vulnerability identifier: #VU15775
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to conduct XXE-attack.
The vulnerability exists due to entities from the internal dtd are not resolved in element content when using xml_parse_into_struct. A remote attacker can trick the victim into opening an XML file that submits malicious input to gain access to arbitrary data or cause the service to crash.
Remediation
The vulnerability has been fixed in the versions 7.1.24, 7.2.12.