CVE-2024-5520 – org.opencms:opencms-core

Package

Manager: maven
Name: org.opencms:opencms-core
Vulnerable Version: =16.0 || >=16.0 <17.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00192 pctl0.41352

Details

OpenCMS Cross-Site Scripting vulnerability Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user: with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the `title` field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

Metadata

Created: 2024-05-30T19:49:04Z
Modified: 2024-05-30T19:49:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vg6x-pchq-98mg/GHSA-vg6x-pchq-98mg.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-vg6x-pchq-98mg
Finding: F425
Auto approve: 1