PT-2012-59: XML External Entity Injection in Zend Framework Vulnerable softwareZend Framework Version: 1.12.0; 1.1.13 and earlierApplication link: http://framework.zend.com/Severity levelSeverity level: Medium Impact: XML External Entity Injection (XXE) Access Vector: Remote CVSS v2: Base Score: 6.4 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)CVE: not assignedSoftware descriptionZend Framework is a object-oriented library of components used to develop web application on PHP.Vulnerability descriptionThe specialists of the Positive Research center have detected a XXE Injection vulnerability in Zend Framework. XXE Injection is possible during import of RSS documents in Zend Framework. An attacker is able to read an arbitrary file on the target system.How to fixUpdate your software up to the latest version.Advisory status13.12.2012 - Vendor is notified 13.12.2012 - Vendor gets vulnerability details 17.12.2012 - Vendor releases fixed version and details 05.02.2013 - Public disclosureCreditsThe vulnerability has discovered by Yury Dyachenko, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-59 http://framework.zend.com/security/advisory/ZF2012-05 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/