Mandriva Linux Security Advisory 2013-156 - ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity vulnerability. The updated packages have been patched to correct this issue.
686354a3dac07edc7796a50d9ab3acf3cac39229d4912db2ea0ab6d44023c774
Debian Linux Security Advisory 2659-1 - Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially-crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources (CPU, memory) consumption when processed.
2ecf19e474f3d84104001f515f49ee5b01e068c895b4d46153fcc73ed4e1f6ef