Miggo Logo
Miggo Vulnerability Database
CVE-2015-10029

CVE-2015-10029: kelvinmo simplexrd vulnerable to Improper Restriction of XML External Entity Reference

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2015-10029
GHSA ID
GHSA-rh3m-pr36-xh2f
EPSS Score
0.26652%
CWE
CWE-611
Published
1/7/2023
Updated
10/20/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
kelvinmo/simplexrdcomposer< 3.1.13.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in SimpleXRD::load(). The patch adds LIBXML_NONET to xml() calls to disable network access. The commit diff shows the critical change from '$this->reader->xml($xml)' to '$this->reader->xml($xml, null, LIBXML_NONET)', directly addressing XXE by preventing external entity resolution. This function is the primary XML input handler, making it the clear attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s pro*l*m*ti* w*s *oun* in k*lvinmo simpl*xr* up to *.*.*. T*is vuln*r**ility *****ts unknown *o** o* t** *il* `simpl*xr*/simpl*xr*.*l*ss.p*p`. T** m*nipul*tion l***s to xml *xt*rn*l *ntity r***r*n**. Up*r**in* to v*rsion

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in Simpl*XR*::lo**(). T** p*t** ***s LI*XML_NON*T to xml() **lls to *is**l* n*twork ****ss. T** *ommit *i** s*ows t** *riti**l ***n** *rom '$t*is->r****r->xml($xml)' to '$t*is->r****r->xml($xml, null,