High severity7.5NVD Advisory· Published Oct 9, 2012· Updated Apr 29, 2026
CVE-2012-4399
CVE-2012-4399
Description
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cakephp/cakephpPackagist | >= 2.1.0-alpha, < 2.1.5 | 2.1.5 |
cakephp/cakephpPackagist | >= 2.2.0-beta, < 2.2.1 | 2.2.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- seclists.org/bugtraq/2012/Jul/101nvdExploitMailing ListThird Party AdvisoryWEB
- www.exploit-db.com/exploits/19863nvdExploitThird Party AdvisoryVDB EntryWEB
- bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1nvdBroken LinkVendor AdvisoryWEB
- secunia.com/advisories/49900nvdBroken LinkVendor AdvisoryWEB
- github.com/advisories/GHSA-5964-pq8r-4q62ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-4399ghsaADVISORY
- www.openwall.com/lists/oss-security/2012/09/03/1nvdMailing ListWEB
- www.openwall.com/lists/oss-security/2012/09/03/2nvdMailing ListWEB
- www.osvdb.org/84042nvdBroken LinkWEB
News mentions
0No linked articles in our index yet.