Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM2aGYtNmhwMi05ZzRj
Local file inclusion allows unauthorized access to internal resources in Alkacon OpenCms
In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.
Permalink: https://github.com/advisories/GHSA-36hf-6hp2-9g4cJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM2aGYtNmhwMi05ZzRj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-36hf-6hp2-9g4c, CVE-2019-13237
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13237
- https://aetsu.github.io/OpenCms
- https://github.com/alkacon/opencms-core/commits/branch_10_5_x
- http://packetstormsecurity.com/files/154281/Alkacon-OpenCMS-10.5.x-Local-File-Inclusion.html
- https://github.com/advisories/GHSA-36hf-6hp2-9g4c
Blast Radius: 5.8
Affected Packages
maven:org.opencms:opencms-core
Dependent packages: 127Dependent repositories: 22
Downloads:
Affected Version Ranges: < 11.0.1
Fixed in: 11.0.1
All affected versions: 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.5.0, 8.5.1, 8.5.2, 9.0.0, 9.0.1, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 10.0.0, 10.0.1, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 11.0.0
All unaffected versions: 11.0.1, 11.0.2