CVE-2006-3934 — Alkacon OpenCMS Absolute Path Traversal via pathname in filePath parameter

Description

Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter.

How to fix CVE-2006-3934

To remediate CVE-2006-3934, upgrade the affected package to a fixed version below.

Maven/org.opencms:opencms-core—upgrade to 6.2.2 or later

Is CVE-2006-3934 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-3934
PATCHgithub.com/alkacon/opencms-core
WEBsecurityreason.com/securityalert/1302
WEBexchange.xforce.ibmcloud.com/vulnerabilities/28000
WEB