CVE-2014-2054: XEE
First published: Wed Jun 04 2014(Updated: )
PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpoffice/phpexcel | <1.8.0 | 1.8.0 |
| ownCloud | =6.0.0 | |
| ownCloud | =6.0.1 | |
| PhpSpreadsheet | <=1.7.9 | |
| ownCloud | <=5.0.14 | |
| ownCloud | =5.0.0 | |
| ownCloud | =5.0.1 | |
| ownCloud | =5.0.2 | |
| ownCloud | =5.0.3 | |
| ownCloud | =5.0.4 | |
| ownCloud | =5.0.5 | |
| ownCloud | =5.0.6 | |
| ownCloud | =5.0.7 | |
| ownCloud | =5.0.8 | |
| ownCloud | =5.0.9 | |
| ownCloud | =5.0.10 | |
| ownCloud | =5.0.11 | |
| ownCloud | =5.0.12 | |
| ownCloud | =5.0.13 | |
| ownCloud | =5.0.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2014-2054
- http://owncloud.org/about/security/advisories/oC-SA-2014-006/
- https://github.com/PHPOffice/PHPExcel/commit/e04bf7ed091b0a72d028eacf26d770b485d4e897
- https://github.com/PHPOffice/PHPExcel/blob/2b601574975acfb9d4378a788ed5f2b747958095/changelog.txt#L120
- https://github.com/advisories/GHSA-28rm-rj57-qjpv (Advisory)
- https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt
Frequently Asked Questions
What is the severity of CVE-2014-2054?
CVE-2014-2054 has a CVSS score of 5.3, indicating a medium severity vulnerability.
How do I fix CVE-2014-2054?
To fix CVE-2014-2054, you need to upgrade PHPExcel to version 1.8.0 or later.
What types of attacks can be executed through CVE-2014-2054?
CVE-2014-2054 allows remote attackers to conduct XML External Entity (XXE) attacks to read arbitrary files or cause denial of service.
Which versions of software are affected by CVE-2014-2054?
CVE-2014-2054 affects PHPExcel versions prior to 1.8.0 and ownCloud Server versions 5.0.14 and earlier as well as 6.0.x versions before 6.0.2.
What is an XML External Entity (XXE) attack in the context of CVE-2014-2054?
An XML External Entity (XXE) attack exploits the parsing of XML to read sensitive files on the server or perform other malicious actions.
- collector/github-advisory-latest
- alias/GHSA-28rm-rj57-qjpv
- alias/CVE-2014-2054
- collector/github-advisory
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/first-publish-date
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- agent/author
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/composer
- vendor/owncloud
- canonical/owncloud
- version/owncloud/6.0.0
- version/owncloud/6.0.1
- vendor/phpexcel project
- canonical/phpspreadsheet
- version/phpspreadsheet/1.7.9
- version/owncloud/5.0.14
- version/owncloud/5.0.0
- version/owncloud/5.0.1
- version/owncloud/5.0.2
- version/owncloud/5.0.3
- version/owncloud/5.0.4
- version/owncloud/5.0.5
- version/owncloud/5.0.6
- version/owncloud/5.0.7
- version/owncloud/5.0.8
- version/owncloud/5.0.9
- version/owncloud/5.0.10
- version/owncloud/5.0.11
- version/owncloud/5.0.12
- version/owncloud/5.0.13