Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

This update for typo3-cms-4_7 fixes the following issues :

  - CVE-2014-3941: Multiple vulnerabilities     (TYPO3-CORE-SA-2014-001)

  - CVE-2013-4701: Multiple vulnerabilities     (TYPO3-CORE-SA-2014-002)

  - CVE-2013-7073: Multiple vulnerabilities     (TYPO3-CORE-SA-2013-004)

  - other security fixes, e.g. preventing XSS attacks.

The package was updated to last upstream version (discontinued) 4.7.20

Important security fixes for vulnerabilities in typo3 which can be used for Cross-Site Scripting or Denial of Service attacks or for authentication bypassing.

Fix for CVE-2013-4701

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
93062	openSUSE Security Update : typo3-cms-4_7 (openSUSE-2016-1002)	Nessus	SuSE Local Security Checks	high
92930	openSUSE Security Update : typo3 (openSUSE-2016-959)	Nessus	SuSE Local Security Checks	high
69535	Fedora 19 : php-pear-Auth-OpenID-2.2.2-7.fc19 (2013-15258)	Nessus	Fedora Local Security Checks	high
69534	Fedora 18 : php-pear-Auth-OpenID-2.2.2-7.fc18 (2013-15253)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2013-4701

high

Tenable Plugins

high

high

high

high