CVE-2014-5392

XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

Published: 2014-09-23 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2014-5392 is rated Moderate Risk (49.1/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.97%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2014-5392

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-03-30	1.20%	0.97%	-0.23%
2	2025-03-29	0.91%	1.20%	+0.29%
3	2025-03-17	—	0.91%	—

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-5392

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	8.6	4.9	[email protected]

Weakness enumeration for CVE-2014-5392

NVD evaluator notes for CVE-2014-5392

Comment: <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Affected software / configurations for CVE-2014-5392

Vendor	Product	Version	Raw CPE
sos	jobscheduler	<= 1.6.4131	cpe:2.3:a:sos:jobscheduler::::::::
sos	jobscheduler	1.6.4014	cpe:2.3:a:sos:jobscheduler:1.6.4014:::::::*
sos	jobscheduler	1.6.4043	cpe:2.3:a:sos:jobscheduler:1.6.4043:::::::*
sos	jobscheduler	1.7.4177	cpe:2.3:a:sos:jobscheduler:1.7.4177:::::::*
sos	jobscheduler	1.7.4189	cpe:2.3:a:sos:jobscheduler:1.7.4189:::::::*

References for CVE-2014-5392

URL	Tags
http://packetstormsecurity.com/files/128181/JobScheduler-XML-eXternal-Entity-Injection.html	Patch
http://www.christian-schneider.net/advisories/CVE-2014-5392.txt	Patch
http://www.securityfocus.com/archive/1/533374/100/0/threaded
http://www.sos-berlin.com/modules/news/article.php?storyid=73	Patch
https://change.sos-berlin.com/browse/JS-1204

cvelogic Threat Intelligence