CVE-2024-5521

Cross-Site Scripting stored in Alkacon OpenCMS

CVSS 6.4 MEDIUMEPSS 0.3%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

30 May 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Affected products

Alkacon · OpenCMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms