Description

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Remediation

References

https://github.com/alkacon/opencms-core/issues/725

https://github.com/alkacon/opencms-core/releases

Related Vulnerabilities

CVE-2018-20059 Vulnerability in maven package ro.pippo:pippo-jaxb

CVE-2021-21165 Vulnerability in npm package electron

CVE-2020-15123 Vulnerability in npm package codecov

CVE-2020-28469 Vulnerability in npm package glob-parent

CVE-2021-3765 Vulnerability in npm package validator

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory Release Notes