DEBIAN-CVE-2013-0340
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 21 Jan 2014, 18:55
Last modified:28 Apr 2026, 20:12
Vulnerability Summary
Overall Risk (default)
minimal
0/100 CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
21 Jan 2014, 18:55
Published
Vulnerability first disclosed
28 Apr 2026, 20:12
Last Modified
Vulnerability information updated
Description
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
Affected Systems
- debian•expat
all | < 2.4.1-2 | < 2.4.1-2 | < 2.4.1-2
- debian•libxmltok
all | all