CVE-2021-3312: Improper Restriction of XML External Entity Reference

October 12, 2021 (updated October 18, 2021)

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server’s file system by uploading a crafted SVG document.

References

github.com/advisories/GHSA-g6v7-vqhx-6v6c
github.com/alkacon/opencms-core/commit/92e035423aa6967822d343e54392d4291648c0ee
github.com/alkacon/opencms-core/issues/721
github.com/alkacon/opencms-core/issues/725
github.com/alkacon/opencms-core/releases
nvd.nist.gov/vuln/detail/CVE-2021-3312

Code Behaviors & Features

Detect and mitigate CVE-2021-3312 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →