CVE-2019-13237 – org.opencms:opencms-core

Package

Manager: maven
Name: org.opencms:opencms-core
Vulnerable Version: >=0 <11.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04138 pctl0.88199

Details

Local file inclusion allows unauthorized access to internal resources in Alkacon OpenCms In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

Metadata

Created: 2019-11-12T22:58:14Z
Modified: 2022-04-19T20:07:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-36hf-6hp2-9g4c/GHSA-36hf-6hp2-9g4c.json
CWE IDs: ["CWE-200", "CWE-22"]
Alternative ID: GHSA-36hf-6hp2-9g4c
Finding: F308
Auto approve: 1