Vulnerability Details CVE-2014-1439
The libxml_disable_entity_loader function in runtime/ext/ext_simplexml.cpp in HipHop Virtual Machine for PHP (HHVM) before 2.4.0 and 2.3.x before 2.3.3 does not properly disable a certain libxml handler, which allows remote attackers to conduct XML External Entity (XXE) attacks.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 61.5%
CVSS Severity
CVSS v2 Score 5.0
References
- http://www.hhvm.com/blog/3287/hhvm-2-4-0
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90979
- https://github.com/facebook/hhvm/commit/95f96e7287effe2fcdfb9a5338d1a7e4f55b083b
- http://www.hhvm.com/blog/3287/hhvm-2-4-0
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90979
- https://github.com/facebook/hhvm/commit/95f96e7287effe2fcdfb9a5338d1a7e4f55b083b
Products affected by CVE-2014-1439
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.0
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.1
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.0.2
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.1.0
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.2.0
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.0
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.1
-
cpe:2.3:a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:2.3.2