The libxml_disable_entity_loader function in runtime/ext/ext_simplexml.cpp in HipHop Virtual Machine for PHP (HHVM) before 2.4.0 and 2.3.x before 2.3.3 does not properly disable a certain libxml handler, which allows remote attackers to conduct XML External Entity (XXE) attacks.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | 2.0.2 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | 2.1.0 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | * |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | 2.0.0 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | 2.2.0 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | 2.0.1 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | 2.3.0 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | 2.3.1 |
Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.21 |
| php | php | 5.5.22 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | * |
| php | php | 5.5.19 |
| php | php | 5.6.4 |
| php | php | 5.6.11 |
| php | php | 5.5.9 |
| php | php | 5.6.10 |
| php | php | 5.5.26 |
| php | php | 5.6.8 |
| php | php | 5.5.5 |
| php | php | 5.5.7 |
| php | php | 5.6.5 |
| php | php | 5.5.1 |
| php | php | 5.6.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.3 |
| php | php | 5.5.23 |
| php | php | 5.5.3 |
| php | php | 5.5.12 |
| php | php | 5.6.12 |
| php | php | 5.5.8 |
| php | php | 5.5.27 |
| php | php | 5.5.14 |
| php | php | 5.5.18 |
| php | php | * |
| php | php | 5.5.4 |
| php | php | 5.6.6 |
| php | php | 5.6.0 |
| php | php | 5.5.28 |
| php | php | 5.5.0 |
| php | php | 5.6.9 |
| php | php | 5.5.10 |
| php | php | 5.6.2 |
| php | php | 5.5.24 |
| php | php | 5.5.2 |
| php | php | 5.5.13 |
| php | php | 5.5.25 |
| php | php | 5.5.20 |
| php | php | 5.5.6 |