Miggo Logo
Miggo Vulnerability Database
CVE-2014-2053

CVE-2014-2053: getID3 is vulnerable to XML External Entity (XXE)

7.5

CVSS Score

Basic Information

CVE ID
CVE-2014-2053
GHSA ID
GHSA-5v43-55m5-qr8f
EPSS Score
0.85128%
CWE
CWE-611
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
james-heinrich/getid3composer< 1.9.91.9.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parsing in the XML2array method. The commit diff shows the original implementation didn't properly disable XML external entity loading via libxml_disable_entity_loader(true) before calling simplexml_load_string. This allowed XXE attacks by processing malicious XML input. The patch explicitly adds entity loader disabling and LIBXML_NOENT flag usage, confirming the vulnerability was in this specific function's XML handling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tI**() ***or* *.*.*, *s us** in own*lou* S*rv*r ***or* *.*.** *n* *.*.x ***or* *.*.*, *llows r*mot* *tt**k*rs to r*** *r*itr*ry *il*s, **us* * **ni*l o* s*rvi**, or possi*ly **v* ot**r imp**t vi* *n XML *xt*rn*l *ntity (XX*) *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* in t** XML**rr*y m*t*o*. T** *ommit *i** s*ows t** ori*in*l impl*m*nt*tion *i*n't prop*rly *is**l* XML *xt*rn*l *ntity lo**in* vi* li*xml_*is**l*_*ntity_lo***r(tru*) ***or* **llin* simpl*xml_lo**_stri