Miggo Logo
Miggo Vulnerability Database
CVE-2013-4295

CVE-2013-4295: Apache Shindig PHP Sensitive Information Disclosure

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2013-4295
GHSA ID
GHSA-6jvw-rpw4-gj4x
EPSS Score
0.97567%
CWE
CWE-200
Published
5/17/2022
Updated
8/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.shindig:shindig-phpmaven>= 2.5.0-beta1, < 2.5.0-update12.5.0-update1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an XXE in the PHP gadget renderer, which typically occurs when XML parsing functions are used without disabling external entities. Given that the fix involved addressing XML parsing (as referenced in revision 1526307), the renderGadget method handling XML input would be the primary suspect. PHP's SimpleXML/DOMDocument with default settings permits external entities, making this a high-confidence assessment despite lacking direct commit details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *****t r*n**r*r in *p**** S*in*i* *.*.* *or P*P *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion vi* *n XML *o*um*nt *ont*inin* *n *xt*rn*l *ntity ***l*r*tion in *onjun*tion wit* *n *ntity r***r*n**, r*l*t** to *n XML *xt*rn*l *ntity (XX*)

Reasoning

T** vuln*r**ility is *n XX* in t** `P*P` *****t r*n**r*r, w*i** typi**lly o**urs w**n XML p*rsin* `*un*tions` *r* us** wit*out *is**lin* *xt*rn*l *ntiti*s. *iv*n t**t t** *ix involv** ***r*ssin* XML p*rsin* (*s r***r*n*** in r*vision *******), t** `r