CVE-2019-13237 — Local file inclusion allows unauthorized access to internal resources in Alkacon

Description

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

How to fix CVE-2019-13237

To remediate CVE-2019-13237, upgrade the affected package to a fixed version below.

—upgrade to 11.0.1 or later

Is CVE-2019-13237 being exploited?

Low — EPSS is 4.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 11.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-13237
PATCHgithub.com/alkacon/opencms-core
WEBpacketstormsecurity.com/files/154281/Alkacon-OpenCMS-10.5.x-Local-File-Inclusion.html
WEBaetsu.github.io/OpenCms
WEB