Lucene search

INCIBEVULNRICHMENT:CVE-2024-5520

HistoryMay 30, 2024 - 11:10 a.m.

CVE-2024-5520 Cross-Site Scripting stored in Alkacon OpenCMS

2024-05-3011:10:37

CWE-79

INCIBE

github.com

cve-2024-5520

cross-site scripting

alkacon opencms

web pages

admin panel

javascript code

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon’s OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*"
    ],
    "vendor": "alkacon",
    "product": "opencms",
    "versions": [
      {
        "status": "affected",
        "version": "16"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-5520