CVE-2013-0340

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Published: Jan 21, 2014
Updated: Nov 8, 2023
CVE: CVE-2013-0340
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
libexpat_project / libexpat	-	2.4.0
python / python	3.8.0	3.8.12
python / python	3.9.0	3.9.7
python / python	3.7.0	3.7.12
python / python	3.6.0	3.6.15
apple / ipados	-	14.8
apple / iphone_os	-	14.8
apple / macos	-	11.6
apple / watchos	-	8.0
apple / tvos	-	15.0

Vulnerability Database

289,599

CVE-2013-0340