CVE-2014-5267
Drupal 6.x < 6.33 and 7.x < 7.31 - XML External Entity Injection via XRDS Document DOCTYPE
Title source: llmDescription
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2014-004
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-2999
Various Sources x_refsource_confirm
http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/08/16/4
Scores
EPSS
0.0062
EPSS Percentile
70.1%
Details
CWE
CWE-264
Status
published
Products (34)
drupal/drupal
6.0 (10 CPE variants)
drupal/drupal
6.1
drupal/drupal
6.2
drupal/drupal
6.3
drupal/drupal
6.4
drupal/drupal
6.5
drupal/drupal
6.6
drupal/drupal
6.7
drupal/drupal
6.8
drupal/drupal
6.9
... and 24 more
Published
Sep 30, 2014
Tracked Since
Feb 18, 2026