Description
Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
References (5)
Core 5
Core References
Exploit, Patch x_refsource_confirm
https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html
Third Party Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000080
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html
Third Party Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN24713981/index.html
Scores
EPSS
0.0088
EPSS Percentile
75.6%
Details
Status
published
Products (3)
janrain/php-openid
< 2.2.2
openid/php-openid
0 - 2.3.0Packagist
typo3/cms
6.2.0 - 6.2.6Packagist
Published
Aug 21, 2013
Tracked Since
Feb 18, 2026