CVE-2024-5520: OpenCMS Cross-Site Scripting vulnerability

May 30, 2024

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon’s OpenCMS affecting version 16, which could allow a user: with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the title field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

References

github.com/advisories/GHSA-vg6x-pchq-98mg
github.com/alkacon/opencms-core
github.com/alkacon/opencms-core/commit/b05a5aca0f2b03042ddf2b2bb45fe2243a4084a7
nvd.nist.gov/vuln/detail/CVE-2024-5520
www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms

Detect and mitigate CVE-2024-5520 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →