PT-2012-59: XML External Entity Injection in Zend Framework

Vulnerable software

Zend Framework
Version: 1.12.0; 1.1.13 and earlier

Application link:

Severity level

Severity level: Medium 
Impact: XML External Entity Injection (XXE)
Access Vector: Remote

CVSS v2: 
Base Score: 6.4 
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE: not assigned

Software description

Zend Framework is a object-oriented library of components used to develop web application on PHP.

Vulnerability description

The specialists of the Positive Research center have detected a XXE Injection vulnerability in Zend Framework.
XXE Injection is possible during import of RSS documents in Zend Framework. An attacker is able to read an arbitrary file on the target system.

How to fix

Update your software up to the latest version.

Advisory status

13.12.2012 - Vendor is notified
13.12.2012 - Vendor gets vulnerability details
17.12.2012 - Vendor releases fixed version and details
05.02.2013 - Public disclosure


The vulnerability has discovered by Yury Dyachenko, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: