Description

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Remediation

References

https://github.com/alkacon/opencms-core/issues/725

https://github.com/alkacon/opencms-core/releases

Related Vulnerabilities

CVE-2021-26540 Vulnerability in maven package org.webjars.npm:sanitize-html

CVE-2020-28447 Vulnerability in npm package xopen

CVE-2012-0393 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2023-41037 Vulnerability in maven package org.webjars.npm:github-com-openpgpjs-openpgpjs

CVE-2022-41927 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-ui

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory Release Notes