{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-17T00:00:00", "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "openxchange-cve20137140-info-disclosure(90543)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}, {"name": "65015", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65015"}, {"name": "102194", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/102194"}, {"name": "1029650", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1029650"}, {"name": "20140117 Open-Xchange Security Advisory 2014-01-17", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://seclists.org/bugtraq/2014/Jan/57"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7140", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openxchange-cve20137140-info-disclosure(90543)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}, {"name": "65015", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65015"}, {"name": "102194", "refsource": "OSVDB", "url": "http://www.osvdb.org/102194"}, {"name": "1029650", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1029650"}, {"name": "20140117 Open-Xchange Security Advisory 2014-01-17", "refsource": "BUGTRAQ", "url": "http://seclists.org/bugtraq/2014/Jan/57"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T18:01:19.433Z"}, "title": "CVE Program Container", "references": [{"name": "openxchange-cve20137140-info-disclosure(90543)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}, {"name": "65015", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65015"}, {"name": "102194", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/102194"}, {"name": "1029650", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1029650"}, {"name": "20140117 Open-Xchange Security Advisory 2014-01-17", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://seclists.org/bugtraq/2014/Jan/57"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7140", "datePublished": "2014-01-26T20:00:00", "dateReserved": "2013-12-18T00:00:00", "dateUpdated": "2024-08-06T18:01:19.433Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*", "matchCriteriaId": "567B4139-220A-46A7-B847-616F99A1EA66", "versionEndIncluding": "7.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:*:*:*:*:*:*:*", "matchCriteriaId": "983E5F3A-E7AD-4CCA-80D4-9C012AFCCDD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F85EE0C-B7A0-455A-96F6-E4E6BA5D7216", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:*:*:*:*:*:*:*", "matchCriteriaId": "2D9572CB-9A46-492E-BDCC-E01849EF0EC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "138461CD-9C27-40E5-B7A0-A37737B6E942", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "108BCEFD-3098-4919-9B0C-E80F6FA1C102", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "DDBB02DF-1022-4FE5-B5E1-198DC58F8C1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "2BF31219-8390-4676-A9C4-D625A016C71E", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "75B04598-67CD-420B-92C9-9A7459295E11", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DAEED7B-C295-42B4-A60B-2EAA596E3D65", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."}, {"lang": "es", "value": "Vulnerabilidad en entidades externas XML (XXE) en la interfaz de CalDAV en Open-Xchange (OX) AppSuite 7.4.1 y anteriores permite a usuarios remotos autenticados leer porciones de archivos arbitrarios a trav\u00e9s de vectores relacionados con el constructor de SAX y la interfaz de WebDAV. NOTA: este problema ha sido etiquetado como tanto como de recorrido ruta absoluta y XXE, pero la causa raiz puede ser XXE, ya XXE puede ser explotado para realizar el recorrido ruta absoluta y otros ataques."}], "evaluatorComment": "CWE-611: Improper Restriction of XML External Entity Reference ('XXE')", "id": "CVE-2013-7140", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-26T20:55:05.877", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/bugtraq/2014/Jan/57"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/102194"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/65015"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1029650"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/bugtraq/2014/Jan/57"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/102194"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/65015"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1029650"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}