Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2021-41559 - Quadratic blowup in Convert::xml2array()

Severity:
Medium (?)
Identifier:
CVE-2021-41559
Versions Affected:
silverstripe/framework: <=4.10.8
Versions Fixed:
silverstripe/framework: 4.10.9
Release Date:
2022-06-28

The Convert::xml2array() function is vulnerable to quadratic blowup where a malicious xml doctype with internal entities can cause CPU usage to go to 100% and stay there.

Base CVSS: 4.8

Reported by: Matthew Dekker from ZX Security