CVE-2006-3934: Alkacon OpenCMS Absolute Path Traversal via pathname in filePath parameter

May 1, 2022 (updated June 20, 2025)

Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter.

References

exchange.xforce.ibmcloud.com/vulnerabilities/28000
github.com/advisories/GHSA-64hc-4jx3-62jp
github.com/alkacon/opencms-core
github.com/alkacon/opencms-core/commit/8f1c04c5a16fe8d0bdbd13b65bf2a7b5cf100ff9
nvd.nist.gov/vuln/detail/CVE-2006-3934

Code Behaviors & Features

Detect and mitigate CVE-2006-3934 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →