CVE-2013-0340

Advisory lineage Upstream: 0 Downstream: 12
Modified
Published: 21 Jan 2014, 18:00
Last modified:25 Nov 2025, 16:27

Vulnerability Summary

Overall Risk (default)
medium
37/100
CVSS Score
6.8 MEDIUM
v2.0 (nvd)
EPSS Score
0.06% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

21 Jan 2014, 18:00
Published
Vulnerability first disclosed
25 Nov 2025, 16:27
Last Modified
Vulnerability information updated

Description

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

CVSS Metrics

  • v2.0MEDIUMScore: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.06% Percentile: 18%

Techniques & Countermeasures

  • CWE-611Improper Restriction of XML External Entity Reference

    The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Systems

  • appleipados

    < 14.8

  • appleiphone_os

    < 14.8

  • UnknownmacOS

    < 11.6

  • appletvos

    < 15.0

  • applewatchos

    < 8.0

  • libexpat_projectlibexpat

    < 2.4.0

  • pythonpython

    ≥ 3.6.0, < 3.6.15 | ≥ 3.7.0, < 3.7.12 | ≥ 3.8.0, < 3.8.12 | ≥ 3.9.0, < 3.9.7

References (25)