Description
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
Remediation
References
https://github.com/alkacon/opencms-core/releases
https://github.com/alkacon/opencms-core/issues/725
Related Vulnerabilities
CVE-2018-20677 Vulnerability in maven package org.webjars.bower:bootstrap
CVE-2021-21290 Vulnerability in maven package io.netty:netty-transport-native-epoll
CVE-2021-28162 Vulnerability in npm package @wiptheia/core
CVE-2023-24620 Vulnerability in maven package com.esotericsoftware.yamlbeans:yamlbeans
CVE-2018-20059 Vulnerability in maven package ro.pippo:pippo-jaxb