Alkacon OpenCMS Absolute Path Traversal via pathname in filePath parameter

GHSA-64hc-4jx3-62jp · CVE-2006-3934

Published May 1, 2022 · Modified Jun 20, 2025

Description

Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2006-3934
WEB https://github.com/alkacon/opencms-core/commit/8f1c04c5a16fe8d0bdbd13b65bf2a7b5cf100ff9
WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/28000
PACKAGE https://github.com/alkacon/opencms-core
WEB http://securityreason.com/securityalert/1302
WEB http://www.opencms.org/export/download/opencms/opencms_6.2.2_src.zip
WEB http://www.opencms.org/opencms/en/shownews.html?id=1002

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes