CVE-2024-5520 — OpenCMS Cross-Site Scripting vulnerability

Description

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user: with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the `title` field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

How to fix CVE-2024-5520

To remediate CVE-2024-5520, upgrade the affected package to a fixed version below.

—upgrade to 17.0 or later

Is CVE-2024-5520 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 16.0, < 17.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-5520
PATCHgithub.com/alkacon/opencms-core
WEBgithub.com/alkacon/opencms-core/commit/b05a5aca0f2b03042ddf2b2bb45fe2243a4084a7
WEBwww.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms