CVE-2013-4701

Upstream information

CVE-2013-4701 at MITRE

Description

Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

---

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores

	National Vulnerability Database
Base Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	Partial
Availability Impact	Partial

SUSE Bugzilla entry: 1082714 [RESOLVED / FIXED]

SUSE Security Advisories:

• openSUSE-SU-2016:2025-1, published Wed, 10 Aug 2016 22:09:17 +0200 (CEST)
• openSUSE-SU-2016:2114-1, published Fri, 19 Aug 2016 19:09:32 +0200 (CEST)

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE 13.1	typo3-cms-4_5 >= 4.5.40-2.7.1 typo3-cms-4_7 >= 4.7.20-3.3.1	Patchnames: 2016-959
openSUSE Leap 42.1	typo3-cms-4_7 >= 4.7.20-7.1	Patchnames: openSUSE-2016-1002