Vulnerabilites related to phpexcel_project - phpexcel
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2024-11-21 02:05
Severity ?
Summary
PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | 6.0.0 | |
| owncloud | owncloud | 6.0.1 | |
| phpexcel_project | phpexcel | * | |
| owncloud | owncloud | * | |
| owncloud | owncloud | 5.0.0 | |
| owncloud | owncloud | 5.0.1 | |
| owncloud | owncloud | 5.0.2 | |
| owncloud | owncloud | 5.0.3 | |
| owncloud | owncloud | 5.0.4 | |
| owncloud | owncloud | 5.0.5 | |
| owncloud | owncloud | 5.0.6 | |
| owncloud | owncloud | 5.0.7 | |
| owncloud | owncloud | 5.0.8 | |
| owncloud | owncloud | 5.0.9 | |
| owncloud | owncloud | 5.0.10 | |
| owncloud | owncloud | 5.0.11 | |
| owncloud | owncloud | 5.0.12 | |
| owncloud | owncloud | 5.0.13 | |
| owncloud | owncloud | 5.0.14 | |
| phpexcel_project | phpexcel | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3A499C18-61F0-486C-99E5-F6DD74EE5521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "237F18EA-1A9B-4DE6-B604-12EB651F5F0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phpexcel_project:phpexcel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F54EA98-9036-41FD-B69C-8B2FA7D07E3B",
"versionEndIncluding": "1.7.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:a:*:*:*:*:*:*",
"matchCriteriaId": "CF8A525D-F052-449B-AFD8-DC6A956D30D9",
"versionEndIncluding": "5.0.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DF826F2B-83E1-4E64-A56C-B564028EBD6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22A19441-2041-45DC-9F59-783C9B1FF9D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "43448288-B129-4210-9680-55836869F09F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78639CDB-3763-4E71-B4F9-E51E5A261A16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8DBE1CE3-7A8D-4C97-8066-F59C346A0494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0F97DF5D-DC0E-43FB-B0D2-4AA8C2A5413D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "55475558-53CA-4764-9A70-1355D5759CFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC3BCEC-9685-4899-91B6-1889FAB235C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D4055273-FBA3-46A7-9B0B-0A5A8BB2E0AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "56985A58-4F38-4192-AEC3-7953184206E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "D6510E0F-BA72-4591-8931-83974EFCDF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "14E553AC-B7F1-4692-8BC7-C59CE39C5CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "3F1D79C4-2B24-4E55-8217-FDC00F22EC44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "16960810-E5B8-45EC-A54D-55941B1E728A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "1DF9CAFD-F2E5-4AD4-BB65-D04A87E8E3B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phpexcel_project:phpexcel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F54EA98-9036-41FD-B69C-8B2FA7D07E3B",
"versionEndIncluding": "1.7.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
},
{
"lang": "es",
"value": "PHPExcel anterior a 1.8.0, utilizado en ownCloud Server anterior a 5.0.15 y 6.0.x anterior a 6.0.2, no deshabilita la carga de entidades externas en libxml, lo que permite a atacantes remotos leer archivos arbitrarios, causar una denegaci\u00f3n de servicio o posiblemente tener otro impacto a trav\u00e9s de un ataque de entidad externa XML (XXE)."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/611.html\n\n\"CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)\"",
"id": "CVE-2014-2054",
"lastModified": "2024-11-21T02:05:32.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:03.983",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2014-2054
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 09:58
Severity ?
EPSS score ?
Summary
PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt | x_refsource_CONFIRM | |
| http://owncloud.org/about/security/advisories/oC-SA-2014-006/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2054",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt",
"refsource": "CONFIRM",
"url": "https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt"
},
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2054",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}