5

CVSS Score

Basic Information

CVE ID

CVE-2012-5657

GHSA ID

GHSA-9m5v-vq4f-mrvf

EPSS Score

0.71532%

CWE

CWE-200

Published

5/17/2022

Updated

1/12/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2012-5657

CVE-2012-5657: Zend Framework XXE Vulnerability

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.

(GitHub Advisory)

5

CVSS Score

Basic Information

CVE ID

CVE-2012-5657

GHSA ID

GHSA-9m5v-vq4f-mrvf

EPSS Score

0.71532%

CWE

CWE-200

Published

5/17/2022

Updated

1/12/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zendframework1	composer	< 1.11.15	1.11.15
zendframework/zendframework1	composer	>= 1.12.0-rc1, < 1.12.1	1.12.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parsing in Zend_Feed components. The commit patches show that both Zend_Feed::importString and Zend_Feed_Abstract's constructor were modified to add libxml_disable_entity_loader protections. Prior to the fix, these functions parsed XML (via DOMDocument::loadXML) without disabling external entity resolution, allowing attackers to inject malicious entities. The vulnerable code paths are directly in the XML processing methods before entity loader hardening was implemented.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** (*) Z*n*_****_Rss *n* (*) Z*n*_****_*tom *l*ss*s in Z*n*_**** in Z*n* *r*m*work *.**.x ***or* *.**.** *n* *.**.x ***or* *.**.* *llow r*mot* *tt**k*rs to r*** *r*itr*ry *il*s, s*n* *TTP r*qu*sts to intr*n*t s*rv*rs, *n* possi*ly **us* * **ni*l o*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in Z*n*_**** *ompon*nts. T** *ommit p*t***s s*ow t**t *ot* Z*n*_****::importStrin* *n* Z*n*_****_**str**t's *onstru*tor w*r* mo*i*i** to *** li*xml_*is**l*_*ntity_lo***r prot**tions. Prior to t** *ix,

5

Basic Information

Concerned about an active attack path?

CVE-2012-5657: Zend Framework XXE Vulnerability

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI