CVE-2019-12331 #1041

MarkBaker · 2019-06-30T21:45:10Z

This is:

- [ ] a bugfix
- [ ] a new feature
- [X] security

Checklist:

Changes are covered by unit tests
Code style is respected
Commit message explains why the change is made (see https://github.com/erlang/otp/wiki/Writing-good-commit-messages)
CHANGELOG.md contains a short summary of the change
Documentation is updated as necessary

Why this change is needed?

Security fix for CVE-2019-12331

Correct use of LibXml_Disable_Entity_Loader

* Detect doubly-encoded xml to hide XXE attacks Correct use of LibXml_Disable_Entity_Loader * New test for double-encoded xml in security scanner

MarkBaker added 3 commits June 28, 2019 23:07

Detect doubly-encoded xml to hide XXE attacks

b7831d5

Correct use of LibXml_Disable_Entity_Loader

New test for double-encoded xml in security scanner

499df0f

Code sniffs in modified security scanner

2489dd6

MarkBaker merged commit 0e6238c into master Jun 30, 2019

MarkBaker deleted the CVE-2019-12331 branch June 30, 2019 22:55

klausi mentioned this pull request Jun 30, 2020

Add PHPOffice/PhpSpreadsheet - CVE-2019-12331. FriendsOfPHP/security-advisories#472

Merged

MarkLee131 mentioned this pull request Nov 22, 2023

[GHSA-vvwv-h69m-wg6f] XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue github/advisory-database#2981

Merged

BlackyTay pushed a commit to BlackyTay/PhpSpreadsheet that referenced this pull request Aug 8, 2025

CVE-2019-12331 (PHPOffice#1041)

a861eb0

* Detect doubly-encoded xml to hide XXE attacks Correct use of LibXml_Disable_Entity_Loader * New test for double-encoded xml in security scanner

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2019-12331 #1041

CVE-2019-12331 #1041

Uh oh!

MarkBaker commented Jun 30, 2019

Uh oh!

Uh oh!

CVE-2019-12331 #1041

CVE-2019-12331 #1041

Uh oh!

Conversation

MarkBaker commented Jun 30, 2019

Why this change is needed?

Uh oh!

Uh oh!