[MAVEN:GHSA-VG6X-PCHQ-98MG] OpenCMS Cross-Site Scripting vulnerability

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user:
with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the title field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

Package	Affected Version
pkg:maven/org.opencms/opencms-core	= 16.0

Package	Fixed Version
pkg:maven/org.opencms/opencms-core	= 17.0

ID: MAVEN:GHSA-VG6X-PCHQ-98MG
Severity: moderate
URL: https://github.com/advisories/GHSA-vg6x-pchq-98mg
Published: 2024-05-30T19:49:04
(3 months ago)
Modified: 2024-05-30T19:49:05
(3 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2024-5520
			https://github.com/alkacon/opencms-core/commit/b05a5aca0f2b03042ddf2b2bb45fe2243a4084a7
			https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms
			https://github.com/advisories/GHSA-vg6x-pchq-98mg

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.opencms/opencms-core	org.opencms	opencms-core	= 16.0
Fixed	pkg:maven/org.opencms/opencms-core	org.opencms	opencms-core	= 17.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date