Description

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Remediation

References

https://github.com/alkacon/opencms-core/issues/725

https://github.com/alkacon/opencms-core/releases

Related Vulnerabilities

CVE-2021-43138 Vulnerability in maven package org.webjars.npm:async

CVE-2023-34616 Vulnerability in maven package com.progsbase.libraries:json

CVE-2020-7640 Vulnerability in npm package fun-map

CVE-2018-1000548 Vulnerability in maven package com.umlet:umlet-swing

CVE-2022-24198 Vulnerability in maven package com.itextpdf:itext7-core

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory Release Notes