CVE-2013-4701

Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published Byvultures@jpcert.or.jp

Published DateAug 21, 2013, 16:55

Affected Versions(2)

openid/php-openid(Packagist)

Introduced0

Fixed2.3.0

LimitN/A

typo3/cms(Packagist)

Introduced6.2.0

Fixed6.2.6

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
openid/php-openid(Packagist)	0	2.3.0	N/A
typo3/cms(Packagist)	6.2.0	6.2.6	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL