CVE-2014-2054

NameCVE-2014-2054
DescriptionPHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs775842

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dolibarrsource(unstable)3.5.3+dfsg1-1high
moodlesource(unstable)2.7.5+dfsg-3high775842
moodlesourcesqueeze(unfixed)end-of-life
owncloudsource(unstable)6.0.2+dfsg-1high

Notes

[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
dolibarr removed phpexcel in 3.5.3+dfsg1-1 / #729538
moodle also contain a copy of PHPExcel
owncloud does not mention details
http://owncloud.org/about/security/advisories/oC-SA-2014-006/
https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt

Search for package or bug name: Reporting problems