VDB
CVE-2013-7285
CVE-2013-7285
PUBLISHED
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
EPSS 18.77% · 95.4th percentile
Risk Scores
EPSS Score
18.77%
95.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | libxstream-java | 1.4.4-1, 0 |
Exploit Intelligence
- shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6 (github-poc)
- shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6 (github-poc)
- shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6 (github-poc)
- shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6 (github-poc)
- shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6 (github-poc)
- shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6 (github-poc)
- shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6 (github-poc)
- https://x-stream.github.io/CVE-2013-7285.html (nist-nvd)
- owasp-exclude.xml (github-poc)
- Nuclei Template: CVE-2013-7285 (nuclei-template)
…and 15 more exploits
Timeline
- Jan 7, 2016 PoC Published
- May 15, 2019 CVE Published
- Jul 18, 2019 CVE Updated
- Feb 4, 2022 EPSS Score
- Mar 30, 2023 EPSS Score
- Jan 10, 2024 EPSS Score
- Apr 23, 2024 EPSS Score
- May 26, 2024 EPSS Score
- Oct 5, 2024 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 19, 2025 EPSS Score
- Mar 23, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2013-7285 third-party-advisory
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html third-party-advisory
- http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3 third-party-advisory
- http://xstream.codehaus.org/security.html third-party-advisory
- https://fisheye.codehaus.org/changelog/xstream?cs=2210 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2013-7285 third-party-advisory