5.8

CVE-2013-3925

Exploit
Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or (2) services/latest with a DTD containing an XML external entity declaration in conjunction with an entity reference.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AtlassianCrowd Version2.5.0
AtlassianCrowd Version2.5.1
AtlassianCrowd Version2.5.2
AtlassianCrowd Version2.5.3
AtlassianCrowd Version2.6.0
AtlassianCrowd Version2.6.1
AtlassianCrowd Version2.6.2
AtlassianCrowd Version2.3.8
AtlassianCrowd Version2.4.9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.76% 0.751
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.8 8.6 4.9
AV:N/AC:M/Au:N/C:P/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.commandfive.com/papers/C5_TA_2013_3925_AtlassianCrowd.pdf
Exploit
URL Repurposed
https://jira.atlassian.com/browse/CWD-3366