Debian Linux Security Advisory 3340-1 - Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data.
23d6416156f37ab76976ca96977e08ed7c0c6841cde302f768e47b512c50093f
Zend Framework versions 2.4.2 and below and 1.12.13 and below suffer from an XML external entity injection vulnerability.
cccb5dc964df6b506118b1a8ca7240bbdddcf7b3aded48bd2c1c454e40f791da