{"url":"http://public2.vulnerablecode.io/api/packages/515953?format=json","purl":"pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%2B1","type":"deb","namespace":"debian","name":"xml-security-c","version":"1.7.2-2~bpo70+1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.7.3-4+deb9u3","latest_non_vulnerable_version":"1.7.3-4+deb9u3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/355162?format=json","vulnerability_id":"VCID-p9sh-2egt-pkh6","summary":"security update","references":[],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515957?format=json","purl":"pkg:deb/debian/xml-security-c@1.7.3-4%2Bdeb9u3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.7.3-4%252Bdeb9u3"}],"aliases":["DSA-4265-1 xml-security-c"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p9sh-2egt-pkh6"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106604?format=json","vulnerability_id":"VCID-16wf-jqv6-eba8","summary":"Heap-based buffer overflow in the Exclusive Canonicalization functionality (xsec/canon/XSECC14n20010315.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PrefixList attribute.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2156","reference_id":"","reference_type":"","scores":[{"value":"0.03204","scoring_system":"epss","scoring_elements":"0.87245","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03204","scoring_system":"epss","scoring_elements":"0.87268","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03204","scoring_system":"epss","scoring_elements":"0.87265","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03204","scoring_system":"epss","scoring_elements":"0.87263","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03204","scoring_system":"epss","scoring_elements":"0.8726","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03204","scoring_system":"epss","scoring_elements":"0.87272","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2156"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/213348?format=json","purl":"pkg:deb/debian/xml-security-c@1.6.1-5%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16wf-jqv6-eba8"},{"vulnerability":"VCID-84m4-vfjk-d7gf"},{"vulnerability":"VCID-ceyh-24gk-ufb9"},{"vulnerability":"VCID-p9sh-2egt-pkh6"},{"vulnerability":"VCID-snp8-216k-syc7"},{"vulnerability":"VCID-tuyu-p3zp-yfdf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.6.1-5%252Bdeb7u2"},{"url":"http://public2.vulnerablecode.io/api/packages/515953?format=json","purl":"pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p9sh-2egt-pkh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%252B1"}],"aliases":["CVE-2013-2156"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-16wf-jqv6-eba8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106602?format=json","vulnerability_id":"VCID-84m4-vfjk-d7gf","summary":"Stack-based buffer overflow in the XML Signature Reference functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions, probably related to the DSIGReference::getURIBaseTXFM function.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2154","reference_id":"","reference_type":"","scores":[{"value":"0.01673","scoring_system":"epss","scoring_elements":"0.82471","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01673","scoring_system":"epss","scoring_elements":"0.825","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01673","scoring_system":"epss","scoring_elements":"0.82499","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01673","scoring_system":"epss","scoring_elements":"0.82497","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01673","scoring_system":"epss","scoring_elements":"0.8249","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01673","scoring_system":"epss","scoring_elements":"0.82502","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/213348?format=json","purl":"pkg:deb/debian/xml-security-c@1.6.1-5%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16wf-jqv6-eba8"},{"vulnerability":"VCID-84m4-vfjk-d7gf"},{"vulnerability":"VCID-ceyh-24gk-ufb9"},{"vulnerability":"VCID-p9sh-2egt-pkh6"},{"vulnerability":"VCID-snp8-216k-syc7"},{"vulnerability":"VCID-tuyu-p3zp-yfdf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.6.1-5%252Bdeb7u2"},{"url":"http://public2.vulnerablecode.io/api/packages/515953?format=json","purl":"pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p9sh-2egt-pkh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%252B1"}],"aliases":["CVE-2013-2154"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-84m4-vfjk-d7gf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106605?format=json","vulnerability_id":"VCID-ceyh-24gk-ufb9","summary":"Heap-based buffer overflow in the XML Signature Reference functionality in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions.  NOTE: this is due to an incorrect fix for CVE-2013-2154.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2210","reference_id":"","reference_type":"","scores":[{"value":"0.01564","scoring_system":"epss","scoring_elements":"0.81831","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01564","scoring_system":"epss","scoring_elements":"0.81864","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01564","scoring_system":"epss","scoring_elements":"0.81865","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01564","scoring_system":"epss","scoring_elements":"0.81858","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01564","scoring_system":"epss","scoring_elements":"0.81874","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2210"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241","reference_id":"714241","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/213348?format=json","purl":"pkg:deb/debian/xml-security-c@1.6.1-5%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16wf-jqv6-eba8"},{"vulnerability":"VCID-84m4-vfjk-d7gf"},{"vulnerability":"VCID-ceyh-24gk-ufb9"},{"vulnerability":"VCID-p9sh-2egt-pkh6"},{"vulnerability":"VCID-snp8-216k-syc7"},{"vulnerability":"VCID-tuyu-p3zp-yfdf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.6.1-5%252Bdeb7u2"},{"url":"http://public2.vulnerablecode.io/api/packages/515953?format=json","purl":"pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p9sh-2egt-pkh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%252B1"}],"aliases":["CVE-2013-2210"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ceyh-24gk-ufb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106601?format=json","vulnerability_id":"VCID-snp8-216k-syc7","summary":"The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka \"XML Signature Bypass issue.\"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2153","reference_id":"","reference_type":"","scores":[{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74989","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.75017","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.75022","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.75014","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74999","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.75026","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/213348?format=json","purl":"pkg:deb/debian/xml-security-c@1.6.1-5%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16wf-jqv6-eba8"},{"vulnerability":"VCID-84m4-vfjk-d7gf"},{"vulnerability":"VCID-ceyh-24gk-ufb9"},{"vulnerability":"VCID-p9sh-2egt-pkh6"},{"vulnerability":"VCID-snp8-216k-syc7"},{"vulnerability":"VCID-tuyu-p3zp-yfdf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.6.1-5%252Bdeb7u2"},{"url":"http://public2.vulnerablecode.io/api/packages/515953?format=json","purl":"pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p9sh-2egt-pkh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%252B1"}],"aliases":["CVE-2013-2153"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-snp8-216k-syc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106603?format=json","vulnerability_id":"VCID-tuyu-p3zp-yfdf","summary":"Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 does not properly validate length values, which allows remote attackers to cause a denial of service or bypass the CVE-2009-0217 protection mechanism and spoof a signature via crafted length values to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault, or (3) DSIGAlgorithmHandlerDefault::verify functions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2155","reference_id":"","reference_type":"","scores":[{"value":"0.01566","scoring_system":"epss","scoring_elements":"0.81845","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01566","scoring_system":"epss","scoring_elements":"0.81879","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01566","scoring_system":"epss","scoring_elements":"0.8188","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01566","scoring_system":"epss","scoring_elements":"0.81874","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01566","scoring_system":"epss","scoring_elements":"0.81889","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/213348?format=json","purl":"pkg:deb/debian/xml-security-c@1.6.1-5%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16wf-jqv6-eba8"},{"vulnerability":"VCID-84m4-vfjk-d7gf"},{"vulnerability":"VCID-ceyh-24gk-ufb9"},{"vulnerability":"VCID-p9sh-2egt-pkh6"},{"vulnerability":"VCID-snp8-216k-syc7"},{"vulnerability":"VCID-tuyu-p3zp-yfdf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.6.1-5%252Bdeb7u2"},{"url":"http://public2.vulnerablecode.io/api/packages/515953?format=json","purl":"pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p9sh-2egt-pkh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%252B1"}],"aliases":["CVE-2013-2155"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tuyu-p3zp-yfdf"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/xml-security-c@1.7.2-2~bpo70%252B1"}