CVE-2015-5161: XXE/XEE vulnerability via multibyte payloads

August 25, 2015 (updated December 23, 2016)

There’s a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
framework.zend.com/security/advisory/ZF2015-06

Code Behaviors & Features

Detect and mitigate CVE-2015-5161 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →