Zend_Feed_Atom were found to contain potential XML
eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension.
External entities could be specified by adding a specific DOCTYPE element to
feeds; exploiting this vulnerability could coerce opening arbitrary files and/or
A similar issue was fixed for 1.11.13 and 1.12.0, in the
factory method; however, the reporter of the issue discovered that the
individual classes contained similar functionality in their constructors which
A patch was applied that removes the XXE vector by calling
libxml_disable_entity_loader() before attempting to parse the feed via
If you are using any of the components listed, and, in particular, were directly instantiating them, we recommend upgrading to either version 1.11.15 or 1.12.1 or greater.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org