CVE-2013-4295

Apache Shindig 2.5.0-beta1-2.5.0 - XML External Entity Injection in Gadget Renderer

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-4295. PoCs published by Kousuke Ebihara.

AI-analyzed exploit summary This exploit leverages an XML External Entity (XXE) injection vulnerability in Apache Shindig to disclose sensitive information by reading the contents of /etc/passwd. The PoC demonstrates the vulnerability by embedding an external entity reference in an XML module.

Description

The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote attackers to obtain sensitive information via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Kousuke Ebihara · textremotemultiple
https://www.exploit-db.com/exploits/38813

This exploit leverages an XML External Entity (XXE) injection vulnerability in Apache Shindig to disclose sensitive information by reading the contents of /etc/passwd. The PoC demonstrates the vulnerability by embedding an external entity reference in an XML module.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Shindig 2.5.0
No auth needed
Prerequisites: Network access to the vulnerable Apache Shindig instance · Ability to send crafted XML requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/63260
Patch, Vendor Advisory x_refsource_confirm
http://shindig.apache.org/security.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-10/0104.html

Scores

EPSS 0.1701
EPSS Percentile 95.1%

Details

CWE
CWE-200
Status published
Products (2)
apache/shindig 2.5.0
org.apache.shindig/shindig-php 2.5.0-beta1 - 2.5.0-update1Maven
Published Oct 24, 2013
Tracked Since Feb 18, 2026