Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2011-1425

xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.

Published

2011-04-04T12:27:57.437

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 5.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

4.9

Impact Score

6.4

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	aleksey	xml_security_library	≤ 1.2.16	Yes
Application	aleksey	xml_security_library	0.0.1	Yes
Application	aleksey	xml_security_library	0.0.2	Yes
Application	aleksey	xml_security_library	0.0.2a	Yes
Application	aleksey	xml_security_library	0.0.3	Yes
Application	aleksey	xml_security_library	0.0.4	Yes
Application	aleksey	xml_security_library	0.0.5	Yes
Application	aleksey	xml_security_library	0.0.6	Yes
Application	aleksey	xml_security_library	0.0.7	Yes
Application	aleksey	xml_security_library	0.0.8	Yes
Application	aleksey	xml_security_library	0.0.9	Yes
Application	aleksey	xml_security_library	0.0.10	Yes
Application	aleksey	xml_security_library	0.0.11	Yes
Application	aleksey	xml_security_library	0.0.12	Yes
Application	aleksey	xml_security_library	0.0.13	Yes
Application	aleksey	xml_security_library	0.0.14	Yes
Application	aleksey	xml_security_library	0.0.15	Yes
Application	aleksey	xml_security_library	0.1.0	Yes
Application	aleksey	xml_security_library	0.1.1	Yes
Application	aleksey	xml_security_library	1.0.0	Yes
Application	aleksey	xml_security_library	1.0.0	Yes
Application	aleksey	xml_security_library	1.0.1	Yes
Application	aleksey	xml_security_library	1.0.2	Yes
Application	aleksey	xml_security_library	1.0.3	Yes
Application	aleksey	xml_security_library	1.0.4	Yes
Application	aleksey	xml_security_library	1.1.0	Yes
Application	aleksey	xml_security_library	1.1.1	Yes
Application	aleksey	xml_security_library	1.1.2	Yes
Application	aleksey	xml_security_library	1.2.0	Yes
Application	aleksey	xml_security_library	1.2.1	Yes
Application	aleksey	xml_security_library	1.2.2	Yes
Application	aleksey	xml_security_library	1.2.3	Yes
Application	aleksey	xml_security_library	1.2.4	Yes
Application	aleksey	xml_security_library	1.2.5	Yes
Application	aleksey	xml_security_library	1.2.6	Yes
Application	aleksey	xml_security_library	1.2.7	Yes
Application	aleksey	xml_security_library	1.2.8	Yes
Application	aleksey	xml_security_library	1.2.9	Yes
Application	aleksey	xml_security_library	1.2.10	Yes
Application	aleksey	xml_security_library	1.2.11	Yes
Application	aleksey	xml_security_library	1.2.13	Yes
Application	aleksey	xml_security_library	1.2.14	Yes
Application	aleksey	xml_security_library	1.2.15	Yes
Application	apple	webkit	*	Yes

References

http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780 Patch ([email protected])
http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa Patch ([email protected])
http://secunia.com/advisories/43920 Vendor Advisory ([email protected])
http://secunia.com/advisories/44167 ([email protected])
http://secunia.com/advisories/44423 ([email protected])
http://trac.webkit.org/changeset/79159 ([email protected])
http://www.aleksey.com/pipermail/xmlsec/2011/009120.html Patch ([email protected])
http://www.debian.org/security/2011/dsa-2219 ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2011:063 ([email protected])
http://www.redhat.com/support/errata/RHSA-2011-0486.html ([email protected])
http://www.securityfocus.com/bid/47135 ([email protected])
http://www.securitytracker.com/id?1025284 ([email protected])
http://www.vupen.com/english/advisories/2011/0855 ([email protected])
http://www.vupen.com/english/advisories/2011/0858 ([email protected])
http://www.vupen.com/english/advisories/2011/1010 ([email protected])
http://www.vupen.com/english/advisories/2011/1172 ([email protected])
https://bugs.webkit.org/show_bug.cgi?id=52688 ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=692133 Patch ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/66506 ([email protected])
http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa Patch (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/43920 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/44167 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/44423 (af854a3a-2127-422b-91ae-364da2661108)
http://trac.webkit.org/changeset/79159 (af854a3a-2127-422b-91ae-364da2661108)
http://www.aleksey.com/pipermail/xmlsec/2011/009120.html Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2011/dsa-2219 (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2011:063 (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2011-0486.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/47135 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1025284 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2011/0855 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2011/0858 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2011/1010 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2011/1172 (af854a3a-2127-422b-91ae-364da2661108)
https://bugs.webkit.org/show_bug.cgi?id=52688 (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=692133 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/66506 (af854a3a-2127-422b-91ae-364da2661108)