CVE-2021-3312
MEDIUMAlkacon OpenCms 11.0-11.0.2 - Authenticated XML External Entity Injection via SVG Upload
Title source: llmDescription
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/alkacon/opencms-core/releases
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/alkacon/opencms-core/issues/725
Scores
CVSS v3
6.5
EPSS
0.0125
EPSS Percentile
65.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (4)
alkacon/opencms
11.0
alkacon/opencms
11.0.1
alkacon/opencms
11.0.2
org.opencms/opencms-core
11.0.0 - 12.0.0Maven
Published
Oct 08, 2021
Tracked Since
Feb 18, 2026