CVE-2015-9541 — XML Entity Expansion in QT

CWE-776 — XML Entity Expansion8 documents7 sources

Severity

7.5HIGHNVD

OSV6.5

EPSS

0.9%

top 24.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QT Debian Qtbase-opensource-src Fedoraproject Fedora +6 more

Timeline

PublishedJan 24

Latest updateMay 24

Description

Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDqt/qt5.5.0 — 5.12.8

▶debiandebian/qtbase-opensource-src< qtbase-opensource-src 5.12.5+dfsg-9 (bookworm)

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

▶msrcmsrc/cbl_mariner_2.0_arm

Also affects: Fedora 31, 32

🔴Vulnerability Details

GHSA

GHSA-h29v-8cc2-w88r: Qt through 5↗2022-05-24

▶

OSV

CVE-2015-9541: Qt through 5↗2020-01-24

▶

📋Vendor Advisories

Microsoft

Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader a related issue to CVE-2003-1564.↗2020-01-14

▶

Red Hat

qt: XML entity expansion vulnerability↗2015-07-24

▶

Debian

CVE-2015-9541: qtbase-opensource-src - Qt through 5.14 allows an exponential XML entity expansion attack via a crafted ...↗2015

▶

💬Community

Bugzilla

CVE-2015-9541 qt: XML entity expansion vulnerability↗2020-02-10

▶

Bugzilla

CVE-2015-9541 qt5: qt: XML entity expansion vulnerability [fedora-all]↗2020-02-10

▶