CVE-2014-5265Wordpress vulnerability

CWE-39910 documents5 sources
Severity
5.0MEDIUMNVD
OSV6.5
EPSS
7.0%
top 8.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
WordpressDebian WordpressDebian Linux+1 more
Timeline
PublishedAug 18
Latest updateMay 17

Description

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

debiandebian/wordpress< wordpress 3.9.2+dfsg-1 (bookworm)
Debianwordpress/wordpress< 3.9.2+dfsg-1+3
NVDwordpress/wordpress3.9.1+30
NVDdrupal/drupal65 versions+64

Also affects: Debian Linux 7.0

Patches

Patch: wordpress.orgPatch: www.drupal.orgPatch: wordpress.org

🔴Vulnerability Details

4
GHSA
GHSA-94p2-4f88-99g7: The Incutio XML-RPC (IXR) Library, as used in WordPress before 32022-05-17
GHSA
GHSA-mqgc-42gw-w5hm: The Incutio XML-RPC (IXR) Library, as used in WordPress before 32022-05-17
OSV
CVE-2014-5266: The Incutio XML-RPC (IXR) Library, as used in WordPress before 32014-08-18
OSV
CVE-2014-5265: The Incutio XML-RPC (IXR) Library, as used in WordPress before 32014-08-18

📋Vendor Advisories

2
Debian
CVE-2014-5266: wordpress - The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal ...2014
Debian
CVE-2014-5265: wordpress - The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal ...2014

💬Community

2
Bugzilla
CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)2014-08-07
Bugzilla
CVE-2014-5265 CVE-2014-5266 wordpress: security issues fixed in version 3.9.22014-08-07
CVE-2014-5265 — Debian Wordpress vulnerability | cvebase