6.8

CVSS Score

Basic Information

CVE ID

CVE-2015-5161

GHSA ID

GHSA-xp8p-9rq5-4wgv

EPSS Score

0.96726%

CWE

CWE-611

Published

5/17/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-5161

CVE-2015-5161: ZendXml and Zend Framework contain XXE and XEE Vulnerabilities

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

(GitHub Advisory)

6.8

CVSS Score

Basic Information

CVE ID

CVE-2015-5161

GHSA ID

GHSA-xp8p-9rq5-4wgv

EPSS Score

0.96726%

CWE

CWE-611

Published

5/17/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zendframework	composer	>= 2.0.0, < 2.4.6	2.4.6
zendframework/zendframework	composer	>= 2.5.0, < 2.5.2	2.5.2
zendframework/zendframework1	composer	>= 1.12.0, < 1.12.14	1.12.14
zendframework/zendxml	composer	>= 1.0.0, < 1.0.1	1.0.1
zendframework/zendframework	composer	>= 1.12.0, < 1.12.14	1.12.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) heuristicScan's naive string matching for entity declarations that couldn't detect multibyte-encoded payloads, and 2) scan's decision to use heuristicScan instead of libxml_disable_entity_loader under PHP-FPM. The commit diffs show these functions were modified in patches, and the vulnerability documentation explicitly identifies Zend_Xml_Security::scan as the entry point. The combination of improper encoding handling in heuristicScan and the threading-related workaround in scan created the exploit vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `Z*n*_Xml_S**urity::s**n` in Z*n*Xml ***or* *.*.* *n* Z*n* *r*m*work ***or* *.**.**, *.x ***or* *.*.*, *n* *.*.x ***or* *.*.*, w**n runnin* un**r P*P-*PM in * t*r***** *nvironm*nt, *llows r*mot* *tt**k*rs to *yp*ss s**urity ****ks *n* *on*u*t XML

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) **uristi*S**n's n*iv* strin* m*t**in* *or *ntity ***l*r*tions t**t *oul*n't **t**t multi*yt*-*n*o*** p*ylo**s, *n* *) s**n's ***ision to us* **uristi*S**n inst*** o* li*xml_*is**l*_*ntity_lo***r un**r

6.8

Basic Information

Concerned about an active attack path?

CVE-2015-5161: ZendXml and Zend Framework contain XXE and XEE Vulnerabilities

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI