Description

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Remediation

References

https://github.com/alkacon/opencms-core/issues/725

https://github.com/alkacon/opencms-core/releases

Related Vulnerabilities

CVE-2018-20594 Vulnerability in maven package org.hswebframework.web:hsweb-system-workflow-local

CVE-2022-36095 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2016-8744 Vulnerability in maven package org.apache.brooklyn:brooklyn

CVE-2020-8897 Vulnerability in maven package com.amazonaws:aws-encryption-sdk-java

CVE-2020-9483 Vulnerability in maven package org.apache.skywalking:oap-server

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory Release Notes