CVE-2021-3312
XML External Entity Reference in org.opencms:opencms-core
6.5
MEDIUM
CVSS 3.1
EPSS 0.34%
Description
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
How to fix CVE-2021-3312
To remediate CVE-2021-3312, upgrade the affected package to a fixed version below.
- —upgrade to 12.0.0 or later
Is CVE-2021-3312 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 11.0.0, < 12.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |