CVE-2013-1915 — XML External Entity (XXE) Injection in Modsecurity

CWE-611 — XML External Entity (XXE) Injection8 documents6 sources

Severity

7.5HIGHNVD

EPSS

4.8%

top 10.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trustwave Modsecurity Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedApr 25

Latest updateMay 13

Description

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDtrustwave/modsecurity< 2.7.3

▶NVDopensuse/opensuse11.4, 12.2, 12.3+2

Also affects: Debian Linux 6.0, 7.0, Fedora 17, 18, 19

Patches

Patch: www.openwall.com ↗Patch: bugzilla.redhat.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-mmcg-c68q-4p38: ModSecurity before 2↗2022-05-13

▶

CVEList

CVE-2013-1915: ModSecurity before 2↗2013-04-25

▶

OSV

CVE-2013-1915: ModSecurity before 2↗2013-04-25

▶

📋Vendor Advisories

Debian

CVE-2013-1915: modsecurity-apache - ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send H...↗2013

▶

💬Community

Bugzilla

CVE-2013-1915 mod_security: Vulnerable to XXE attacks [epel-all]↗2013-04-03

▶

Bugzilla

CVE-2013-1915 mod_security: Vulnerable to XXE attacks [fedora-all]↗2013-04-03

▶

Bugzilla

CVE-2013-1915 mod_security: Vulnerable to XXE attacks↗2013-04-03

▶