7.5

CVSS Score

Basic Information

CVE ID

CVE-2013-4701

GHSA ID

GHSA-5qp6-78pr-gv8c

EPSS Score

0.7439%

CWE

CWE-400

Published

5/17/2022

Updated

2/6/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-4701

CVE-2013-4701: PHP OpenID Library Denial of Service vulnerability

Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2013-4701

GHSA ID

GHSA-5qp6-78pr-gv8c

EPSS Score

0.7439%

CWE

CWE-400

Published

5/17/2022

Updated

2/6/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
openid/php-openid	composer	< 2.3.0	2.3.0
typo3/cms	composer	>= 6.2.0, < 6.2.6	6.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the setXML method in Auth/Yadis/XML.php, which processed untrusted XML input without proper XXE protections. The GitHub patch explicitly adds libxml_disable_entity_loader(true) and error handling around the loadXML call, confirming this was the vulnerable code path. The TYPO3/CMS package is listed as vulnerable due to its dependency on php-openid, but the root vulnerable function resides in the openid library's XML parser implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ut*/Y**is/XML.p*p in P*P Op*nI* Li*r*ry *.*.* *n* **rli*r *llows r*mot* *tt**k*rs to r*** *r*itr*ry *il*s, s*n* *TTP r*qu*sts to intr*n*t s*rv*rs, or **us* * **ni*l o* s*rvi** (*PU *n* m*mory *onsumption) vi* XR*S **t* *ont*inin* *n *xt*rn*l *ntity

Reasoning

T** vuln*r**ility st*ms *rom t** s*tXML m*t*o* in *ut*/Y**is/XML.p*p, w*i** pro**ss** untrust** XML input wit*out prop*r XX* prot**tions. T** *it*u* p*t** *xpli*itly ***s li*xml_*is**l*_*ntity_lo***r(tru*) *n* *rror **n*lin* *roun* t** lo**XML **ll,

7.5

Basic Information

Concerned about an active attack path?

CVE-2013-4701: PHP OpenID Library Denial of Service vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI