Description

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Remediation

References

https://github.com/alkacon/opencms-core/issues/725

https://github.com/alkacon/opencms-core/releases

Related Vulnerabilities

CVE-2023-34610 Vulnerability in maven package com.cedarsoftware:json-io

CVE-2021-23337 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash

CVE-2020-7749 Vulnerability in npm package osm-static-maps

CVE-2019-13235 Vulnerability in maven package org.opencms:opencms-core

CVE-2020-8897 Vulnerability in maven package com.amazonaws:aws-encryption-sdk-java

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory Release Notes