Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ZzZ4LXBjaHEtOThtZ84AA8kL
OpenCMS Cross-Site Scripting vulnerability
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user:
with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the title field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ZzZ4LXBjaHEtOThtZ84AA8kL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-vg6x-pchq-98mg, CVE-2024-5520
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5520
- https://github.com/alkacon/opencms-core/commit/b05a5aca0f2b03042ddf2b2bb45fe2243a4084a7
- https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms
- https://github.com/advisories/GHSA-vg6x-pchq-98mg
Blast Radius: 8.6
Affected Packages
maven:org.opencms:opencms-core
Dependent packages: 127Dependent repositories: 22
Downloads:
Affected Version Ranges: = 16.0
Fixed in: 17.0
All affected versions:
All unaffected versions: 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.5.0, 8.5.1, 8.5.2, 9.0.0, 9.0.1, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 10.0.0, 10.0.1, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 11.0.0, 11.0.1, 11.0.2