OpenCMS Cross-Site Scripting vulnerability

GHSA-vg6x-pchq-98mg · CVE-2024-5520

Published May 30, 2024 · Modified May 30, 2024

Description

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user:
with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the title field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-5520
WEB https://github.com/alkacon/opencms-core/commit/b05a5aca0f2b03042ddf2b2bb45fe2243a4084a7
PACKAGE https://github.com/alkacon/opencms-core
WEB https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes