Vulnerability CVE-2013-1915


Published: 2013-04-25   Modified: 2013-04-26

Description:
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.

See advisories in our WLB2 database:
Topic
Author
Date
High
ModSecurity 2.7.3 XML External Entity attacks
Jan
03.04.2013

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Modsecurity -> Modsecurity 

 References:
https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
https://bugzilla.redhat.com/show_bug.cgi?id=947842
http://www.securityfocus.com/bid/58810
http://www.openwall.com/lists/oss-security/2013/04/03/7
http://www.mandriva.com/security/advisories?name=MDVSA-2013:156
http://www.debian.org/security/2013/dsa-2659
http://secunia.com/advisories/52977
http://secunia.com/advisories/52847
http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.html

Copyright 2024, cxsecurity.com

 

Back to Top