Lucene search
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.OWNCLOUD:791D4AD374A952D3AA6311607D22C0F2HistoryJul 03, 2014 - 6:22 p.m.
XXE in multiple third party components - ownCloud
2014-07-0318:22:45
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.
owncloud.org
59
0.007 Low
EPSS
Percentile
78.6%
Multiple third party components of ownCloud are vulnerable to XXE attacks, which may lead to:
- Local File Disclosure
- Server Side Request Forgery
- DoS
- Code Execution (depending on the PHP wrappers)
- …
The following libraries are affected:
- ZendFramework: CVE-2014-2052
- GetID3: CVE-2014-2053
- PHPExcel: CVE-2014-2054
- SabreDAV: CVE-2014-2055
- PHPDocX: CVE-2014-2056
Affected Software
- ownCloud Server < 6.0.2 ()
- ownCloud Server < 5.0.15 ()
Action Taken
All vendors except PHPDocX have released an update. PHPDocX states that the admin is responsible to validate the DOCX document and is considering this as won’t fix.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.
| CPE | Name | Operator | Version |
|---|---|---|---|
| owncloud server | lt | 5.0.15 | |
| owncloud server | lt | 6.0.2 |
Related
owncloud
owncloud
Server: XXE in multiple third party components
2014-07-03 02:00:00
openvas
openvas
ownCloud Multiple Vulnerabilities-02 (Jul 2014)
2014-07-03 00:00:00
ownCloud < 5.0.15, 6.0.x < 6.0.2 Multiple Vulnerabilities
2021-09-21 00:00:00
Debian Security Advisory DSA 3001-1 (wordpress - security update)
2014-08-09 00:00:00
cve
cve
github
github
XXE in SabreDAV
2022-05-17 04:42:42
PHPExcel vulnerable to XXE attacks through libxml
2022-05-17 04:42:46
getID3 is vulnerable to XML External Entity (XXE)
2022-05-17 03:06:13
debiancve
debiancve
CVE-2014-2055
2014-06-04 14:55:00
CVE-2014-2053
2014-06-04 14:55:00
seebug
seebug
PHPExcel XML外部实体处理漏洞
2014-03-18 00:00:00
getID3() XML外部实体漏洞
2014-03-19 00:00:00
wpvulndb
wpvulndb
WordPress 3.6 - 3.9.1 XXE in GetID3 Library
2014-09-16 18:19:44
ubuntucve
ubuntucve
osv
osv
PHPExcel vulnerable to XXE attacks through libxml
2022-05-17 04:42:46
XXE in SabreDAV
2022-05-17 04:42:42
getID3 is vulnerable to XML External Entity (XXE)
2022-05-17 03:06:13
friendsofphp
friendsofphp
Potential XXE security issue
2014-09-14 18:13:30
nessus
nessus
Debian DSA-3001-1 : wordpress - security update
2014-08-10 00:00:00
Debian DLA-56-1 : wordpress security update
2015-03-26 00:00:00
WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities
2014-08-12 00:00:00
debian
debian
[SECURITY] [DLA 56-1] wordpress security update
2014-09-17 12:05:09