CVE-2021-41559 - Quadratic blowup in Convert::xml2array()
- Severity:
- Medium (?)
- Identifier:
- CVE-2021-41559
- Versions Affected:
- silverstripe/framework: <=4.10.8
- Versions Fixed:
- silverstripe/framework: 4.10.9
- Release Date:
- 2022-06-28
The Convert::xml2array() function is vulnerable to quadratic blowup where a malicious xml doctype with internal entities can cause CPU usage to go to 100% and stay there.
Base CVSS: 4.8
Reported by: Matthew Dekker from ZX Security