Main Vulnerability Database Vulnerabilities #VU15775

#VU15775 XXE attack in PHP

Published: November 9, 2018

Vulnerability identifier: #VU15775

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PHP

Software vendor:
PHP Group

Description

The vulnerability allows a remote unauthenticated attacker to conduct XXE-attack.

The vulnerability exists due to entities from the internal dtd are not resolved in element content when using xml_parse_into_struct. A remote attacker can trick the victim into opening an XML file that submits malicious input to gain access to arbitrary data or cause the service to crash.

Remediation

The vulnerability has been fixed in the versions 7.1.24, 7.2.12.

External links

https://bugs.php.net/bug.php?id=76948