| Name | CVE-2014-2054 |
| Description | PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 775842 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| dolibarr | source | (unstable) | 3.5.3+dfsg1-1 | |||
| moodle | source | squeeze | (unfixed) | end-of-life | ||
| moodle | source | (unstable) | 2.7.5+dfsg-3 | 775842 | ||
| owncloud | source | (unstable) | 6.0.2+dfsg-1 |
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
dolibarr removed phpexcel in 3.5.3+dfsg1-1 / #729538
moodle also contain a copy of PHPExcel
owncloud does not mention details
http://owncloud.org/about/security/advisories/oC-SA-2014-006/
https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt