Skip to main content

Crowd CVE-2013-3925

MEDIUM
Improper Input Validation (CWE-20)
2013-07-01 cve@mitre.org
5.8
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:P/I:P/A:N
Attack Vector
Network
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 01, 2013 - 21:55 cve.org
MEDIUM 5.8

DescriptionCVE.org

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or (2) services/latest with a DTD containing an XML external entity declaration in conjunction with an entity reference.

AnalysisAI

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-20. Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or (2) services/latest with a DTD containing an XML external entity declaration in conjunction with an entity reference. Affected products include: Atlassian Crowd. Version information: before 2.5.4.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Crowd

View all
CVE-2012-2926 CRITICAL POC
9.1 May 22

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef

CVE-2019-11580 CRITICAL POC
9.8 Jun 03

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Rated

CVE-2013-3926 HIGH POC
7.5 Jul 01

Atlassian Crowd 2.6.3 allows remote attackers to execute arbitrary commands via unspecified vectors related to a "symmet

CVE-2016-6496 CRITICAL
9.8 Dec 09

The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute a

CVE-2022-43782 CRITICAL
9.8 Nov 17

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfigur

CVE-2022-26136 CRITICAL
9.8 Jul 20

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used

CVE-2023-22521 HIGH
8.8 Nov 21

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Se

CVE-2022-26137 HIGH
8.8 Jul 20

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Fil

CVE-2026-21569 HIGH
7.9 Jan 28

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote

CVE-2019-15005 MEDIUM
4.3 Nov 08

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate p

Share

CVE-2013-3925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy