CVE-2012-4399 — CakePHPallows remote attackers to read arbitrary files via XML data containing e

Description

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

How to fix CVE-2012-4399

To remediate CVE-2012-4399, upgrade the affected package to a fixed version below.

—upgrade to 2.1.5 or later

Is CVE-2012-4399 being exploited?

Moderate — EPSS is 12.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.1.0-alpha, < 2.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-4399
PATCHgithub.com/cakephp/cakephp
WEBbakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
WEBseclists.org/bugtraq/2012/Jul/101
WEB