Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNnY3LXZxaHgtNnY2Y80WfQ
XML External Entity Reference in org.opencms:opencms-core
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
Permalink: https://github.com/advisories/GHSA-g6v7-vqhx-6v6cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNnY3LXZxaHgtNnY2Y80WfQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-g6v7-vqhx-6v6c, CVE-2021-3312
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3312
- https://github.com/alkacon/opencms-core/issues/721
- https://github.com/alkacon/opencms-core/issues/725
- https://github.com/alkacon/opencms-core/commit/92e035423aa6967822d343e54392d4291648c0ee
- https://github.com/alkacon/opencms-core/releases
- https://github.com/advisories/GHSA-g6v7-vqhx-6v6c
Blast Radius: 8.7
Affected Packages
maven:org.opencms:opencms-core
Dependent packages: 127Dependent repositories: 22
Downloads:
Affected Version Ranges: >= 11.0.0, <= 11.0.2
Fixed in: 12.0.0
All affected versions: 11.0.0, 11.0.1, 11.0.2
All unaffected versions: 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.5.0, 8.5.1, 8.5.2, 9.0.0, 9.0.1, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 10.0.0, 10.0.1, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4