Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3wb2-wzfp-pkg5
Vulnerability ID VCID-3wb2-wzfp-pkg5
Aliases CVE-2013-7285
GHSA-f554-x222-wgf7
Summary
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 9.8 http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
generic_textual CRITICAL http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
epss 0.18767 https://api.first.org/data/v1/epss?cve=CVE-2013-7285
epss 0.18767 https://api.first.org/data/v1/epss?cve=CVE-2013-7285
epss 0.18767 https://api.first.org/data/v1/epss?cve=CVE-2013-7285
cvssv3.1 9.8 http://seclists.org/oss-sec/2014/q1/69
generic_textual CRITICAL http://seclists.org/oss-sec/2014/q1/69
cvssv3.1 9.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-f554-x222-wgf7
cvssv3.1 9.8 https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d
generic_textual CRITICAL https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d
cvssv3.1 9.8 https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
generic_textual CRITICAL https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
cvssv3.1 9.8 https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
generic_textual CRITICAL https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2013-7285
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2013-7285
cvssv3.1 9.8 https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
generic_textual CRITICAL https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
cvssv3.1 9.8 https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
generic_textual CRITICAL https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
cvssv3.1 9.8 https://www.oracle.com/security-alerts/cpuoct2020.html
generic_textual CRITICAL https://www.oracle.com/security-alerts/cpuoct2020.html
cvssv3.1 9.8 https://x-stream.github.io/CVE-2013-7285.html
generic_textual CRITICAL https://x-stream.github.io/CVE-2013-7285.html
cvssv3.1 9.8 http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
generic_textual CRITICAL http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Reference id Reference type URL
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-7285.json
https://api.first.org/data/v1/epss?cve=CVE-2013-7285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
http://seclists.org/oss-sec/2014/q1/69
https://fisheye.codehaus.org/changelog/xstream?cs=2210
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
1051277 https://bugzilla.redhat.com/show_bug.cgi?id=1051277
734821 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821
CVE-2013-7285 https://bugzilla.redhat.com/CVE-2013-7285
CVE-2013-7285 https://nvd.nist.gov/vuln/detail/CVE-2013-7285
CVE-2013-7285.HTML https://x-stream.github.io/CVE-2013-7285.html
CVE-2013-7285;OSVDB-102253 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/39193.txt
GHSA-f554-x222-wgf7 https://github.com/advisories/GHSA-f554-x222-wgf7
GLSA-201612-35 https://security.gentoo.org/glsa/201612-35
RHSA-2014:0216 https://access.redhat.com/errata/RHSA-2014:0216
RHSA-2014:0294 https://access.redhat.com/errata/RHSA-2014:0294
RHSA-2014:0323 https://access.redhat.com/errata/RHSA-2014:0323
RHSA-2014:0371 https://access.redhat.com/errata/RHSA-2014:0371
RHSA-2014:0372 https://access.redhat.com/errata/RHSA-2014:0372
RHSA-2014:0374 https://access.redhat.com/errata/RHSA-2014:0374
RHSA-2014:0389 https://access.redhat.com/errata/RHSA-2014:0389
RHSA-2014:0452 https://access.redhat.com/errata/RHSA-2014:0452
RHSA-2014:1007 https://access.redhat.com/errata/RHSA-2014:1007
RHSA-2014:1059 https://access.redhat.com/errata/RHSA-2014:1059
RHSA-2015:1009 https://access.redhat.com/errata/RHSA-2015:1009
RHSA-2015:1888 https://access.redhat.com/errata/RHSA-2015:1888
Data source Exploit-DB
Date added Jan. 7, 2016
Description OpenMRS Reporting Module 0.9.7 - Remote Code Execution
Ransomware campaign use Unknown
Source publication date Jan. 7, 2016
Exploit type webapps
Platform java
Source update date Jan. 7, 2016
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://seclists.org/oss-sec/2014/q1/69
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2013-7285
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuoct2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://x-stream.github.io/CVE-2013-7285.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.9544
EPSS Score 0.18767
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:04:57.493477+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 38.6.0