CVE-2013-7140 (GCVE-0-2013-7140)
Vulnerability from cvelistv5 – Published: 2014-01-26 20:00 – Updated: 2024-08-06 18:01
VLAI?
Summary
XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:19.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openxchange-cve20137140-info-disclosure(90543)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"
},
{
"name": "65015",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/65015"
},
{
"name": "102194",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/102194"
},
{
"name": "1029650",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029650"
},
{
"name": "20140117 Open-Xchange Security Advisory 2014-01-17",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://seclists.org/bugtraq/2014/Jan/57"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "openxchange-cve20137140-info-disclosure(90543)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"
},
{
"name": "65015",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/65015"
},
{
"name": "102194",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/102194"
},
{
"name": "1029650",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1029650"
},
{
"name": "20140117 Open-Xchange Security Advisory 2014-01-17",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://seclists.org/bugtraq/2014/Jan/57"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7140",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openxchange-cve20137140-info-disclosure(90543)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"
},
{
"name": "65015",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/65015"
},
{
"name": "102194",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/102194"
},
{
"name": "1029650",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1029650"
},
{
"name": "20140117 Open-Xchange Security Advisory 2014-01-17",
"refsource": "BUGTRAQ",
"url": "http://seclists.org/bugtraq/2014/Jan/57"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7140",
"datePublished": "2014-01-26T20:00:00",
"dateReserved": "2013-12-18T00:00:00",
"dateUpdated": "2024-08-06T18:01:19.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"7.4.1\", \"matchCriteriaId\": \"567B4139-220A-46A7-B847-616F99A1EA66\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"983E5F3A-E7AD-4CCA-80D4-9C012AFCCDD4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F85EE0C-B7A0-455A-96F6-E4E6BA5D7216\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2D9572CB-9A46-492E-BDCC-E01849EF0EC0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"138461CD-9C27-40E5-B7A0-A37737B6E942\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"108BCEFD-3098-4919-9B0C-E80F6FA1C102\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DDBB02DF-1022-4FE5-B5E1-198DC58F8C1B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2BF31219-8390-4676-A9C4-D625A016C71E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"75B04598-67CD-420B-92C9-9A7459295E11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8DAEED7B-C295-42B4-A60B-2EAA596E3D65\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad en entidades externas XML (XXE) en la interfaz de CalDAV en Open-Xchange (OX) AppSuite 7.4.1 y anteriores permite a usuarios remotos autenticados leer porciones de archivos arbitrarios a trav\\u00e9s de vectores relacionados con el constructor de SAX y la interfaz de WebDAV. NOTA: este problema ha sido etiquetado como tanto como de recorrido ruta absoluta y XXE, pero la causa raiz puede ser XXE, ya XXE puede ser explotado para realizar el recorrido ruta absoluta y otros ataques.\"}]",
"evaluatorComment": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"id": "CVE-2013-7140",
"lastModified": "2024-11-21T02:00:24.613",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2014-01-26T20:55:05.877",
"references": "[{\"url\": \"http://seclists.org/bugtraq/2014/Jan/57\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.osvdb.org/102194\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/65015\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securitytracker.com/id/1029650\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/90543\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://seclists.org/bugtraq/2014/Jan/57\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.osvdb.org/102194\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/65015\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1029650\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/90543\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2013-7140\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2014-01-26T20:55:05.877\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad en entidades externas XML (XXE) en la interfaz de CalDAV en Open-Xchange (OX) AppSuite 7.4.1 y anteriores permite a usuarios remotos autenticados leer porciones de archivos arbitrarios a trav\u00e9s de vectores relacionados con el constructor de SAX y la interfaz de WebDAV. NOTA: este problema ha sido etiquetado como tanto como de recorrido ruta absoluta y XXE, pero la causa raiz puede ser XXE, ya XXE puede ser explotado para realizar el recorrido ruta absoluta y otros ataques.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.4.1\",\"matchCriteriaId\":\"567B4139-220A-46A7-B847-616F99A1EA66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"983E5F3A-E7AD-4CCA-80D4-9C012AFCCDD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F85EE0C-B7A0-455A-96F6-E4E6BA5D7216\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D9572CB-9A46-492E-BDCC-E01849EF0EC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"138461CD-9C27-40E5-B7A0-A37737B6E942\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"108BCEFD-3098-4919-9B0C-E80F6FA1C102\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DDBB02DF-1022-4FE5-B5E1-198DC58F8C1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BF31219-8390-4676-A9C4-D625A016C71E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75B04598-67CD-420B-92C9-9A7459295E11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8DAEED7B-C295-42B4-A60B-2EAA596E3D65\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/bugtraq/2014/Jan/57\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.osvdb.org/102194\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/65015\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1029650\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/90543\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://seclists.org/bugtraq/2014/Jan/57\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.osvdb.org/102194\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/65015\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1029650\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/90543\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"evaluatorComment\":\"CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)\"}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…