Description

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Remediation

References

https://github.com/alkacon/opencms-core/issues/725

https://github.com/alkacon/opencms-core/releases

Related Vulnerabilities

CVE-2021-23484 Vulnerability in npm package zip-local

CVE-2021-23426 Vulnerability in npm package proto

CVE-2020-26217 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2019-6286 Vulnerability in npm package node-sass

CVE-2022-36097 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory Release Notes