cbcvebase.
CVE-2013-0340
published 2014-01-21

CVE-2013-0340: expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows…

medium6.8CVSS 3.1
AVNACMAuNCPIPAP
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Affected

21 ranges
VendorProductVersion rangeFixed in
apacheopenoffice<= 4.1.10
apache_software_foundationapache_openofficeApache OpenOffice – 4.1.10
apache_software_foundationapache_openofficeOpenOffice.org – 3.4
appleios_14.8_and_ipados
appleios_15_and_ipados
appleipados< 14.814.8
appleiphone_os< 14.814.8
applemacos< 11.611.6
applemacos_big_sur
applesecurity_update_2021-005_catalina
appletvos< 15.015.0
appletvos
applewatchos< 8.08.0
applewatchos_8
debianexpat< expat 2.4.1-2 (bookworm)expat 2.4.1-2 (bookworm)
debianlibxmltok< expat 2.4.1-2 (bookworm)expat 2.4.1-2 (bookworm)
libexpat_projectlibexpat< 2.4.02.4.0
pythonpython>= 3.6.0 < 3.6.153.6.15
pythonpython>= 3.7.0 < 3.7.123.7.12
pythonpython>= 3.8.0 < 3.8.123.8.12
pythonpython>= 3.9.0 < 3.9.73.9.7

CVSS provenance

nvd6.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv6.8MEDIUM