CVE-2019-13118
moderate-risk
Published 2019-07-01
In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.
Do I need to act?
~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Libxslt
References (82)
Mailing List
http://seclists.org/fulldisclosure/2019/Aug/11
Mailing List
http://seclists.org/fulldisclosure/2019/Aug/13
Mailing List
http://seclists.org/fulldisclosure/2019/Aug/14
Mailing List
http://seclists.org/fulldisclosure/2019/Aug/15
Mailing List
http://seclists.org/fulldisclosure/2019/Jul/22
Mailing List
http://seclists.org/fulldisclosure/2019/Jul/23
Mailing List
http://seclists.org/fulldisclosure/2019/Jul/24
Mailing List
http://seclists.org/fulldisclosure/2019/Jul/26
Mailing List
http://seclists.org/fulldisclosure/2019/Jul/31
Mailing List
http://seclists.org/fulldisclosure/2019/Jul/37
Mailing List
http://seclists.org/fulldisclosure/2019/Jul/38
Permissions Required
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
Permissions Required
https://oss-fuzz.com/testcase-detail/5197371471822848
and 62 more references
47
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
3/34 · Minimal
Exposure
23/34 · High