Re: eBay Magento <= 1.9.2.1 XML eXternal Entity Injection (XXE) on PHP FPM

Posted by Dawid Golunski on Nov 06

Hi,

There are some news sites that confuse this Magento/Zend Framework
vulnerability with an old SOAP parser xxe vulnerability of CVE-2013-1643
in the PHP core which was fixed in PHP 5.4.13 in 2013.
The incorrect news may give false sense of security to users with
newer PHP versions when in fact, their Magento installation may be
affected.

I wanted to clarify that the Magento/Zend Framework vulnerability I reported
does not depend on this old…

Leave a Reply