Published: 25/04/2013 Updated: 12/02/2021

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

ModSecurity prior to 2.7.3 allows remote malicious users to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
trustwave modsecurity
opensuse opensuse 11.4
opensuse opensuse 12.2
opensuse opensuse 12.3
fedoraproject fedora 17
fedoraproject fedora 18
fedoraproject fedora 19
debian debian linux 6.0
debian debian linux 7.0

Debian Bug report logs - #704625 modsecurity-apache: CVE-2013-1915: Vulnerable to XXE attacks Package: modsecurity-apache; Maintainer for modsecurity-apache is Alberto Gonzalez Iniesta <agi@inittaborg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 3 Apr 2013 18:36:01 UTC Severity: grave Tags: pa ...

Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks A specially-crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resour ...

CWE-611 https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe http://www.openwall.com/lists/oss-security/2013/04/03/7 https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES http://secunia.com/advisories/52977 http://secunia.com/advisories/52847 https://bugzilla.redhat.com/show_bug.cgi?id=947842 http://www.debian.org/security/2013/dsa-2659 http://www.securityfocus.com/bid/58810 http://www.mandriva.com/security/advisories?name=MDVSA-2013:156 http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625 https://nvd.nist.gov https://www.debian.org/security/./dsa-2659

CVE-2013-1915

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect