11.0.2

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

alkacon

CWE-611

NVD

Published: 2021-10-08

Updated: 2021-10-15

Summary

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Vulnerable Configurations

Part	Description	Count
Application	Alkacon Alkacon Opencms 11.0 Alkacon Opencms 11.0.1 Alkacon Opencms 11.0.2	3

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://github.com/alkacon/opencms-core/releases
https://github.com/alkacon/opencms-core/issues/725