Miggo Logo

CVE-2014-2053: getID3 is vulnerable to XML External Entity (XXE)

7.5

CVSS Score

Basic Information

EPSS Score
0.85128%
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
james-heinrich/getid3composer< 1.9.91.9.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parsing in the XML2array method. The commit diff shows the original implementation didn't properly disable XML external entity loading via libxml_disable_entity_loader(true) before calling simplexml_load_string. This allowed XXE attacks by processing malicious XML input. The patch explicitly adds entity loader disabling and LIBXML_NOENT flag usage, confirming the vulnerability was in this specific function's XML handling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tI**() ***or* *.*.*, *s us** in own*lou* S*rv*r ***or* *.*.** *n* *.*.x ***or* *.*.*, *llows r*mot* *tt**k*rs to r*** *r*itr*ry *il*s, **us* * **ni*l o* s*rvi**, or possi*ly **v* ot**r imp**t vi* *n XML *xt*rn*l *ntity (XX*) *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* in t** XML**rr*y m*t*o*. T** *ommit *i** s*ows t** ori*in*l impl*m*nt*tion *i*n't prop*rly *is**l* XML *xt*rn*l *ntity lo**in* vi* li*xml_*is**l*_*ntity_lo***r(tru*) ***or* **llin* simpl*xml_lo**_stri