Lucene search

INCIBEVULNRICHMENT:CVE-2024-5521

HistoryMay 30, 2024 - 11:11 a.m.

CVE-2024-5521 Cross-Site Scripting stored in Alkacon OpenCMS

2024-05-3011:11:30

CWE-79

INCIBE

github.com

cve-2024-5521

cross-site scripting

alkacon opencms

vulnerability

svg format

javascript

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon’s OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

CNA Affected

[
  {
    "vendor": "Alkacon",
    "product": "OpenCMS",
    "versions": [
      {
        "status": "affected",
        "version": "16"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-5521