CVE-2021-3312
published 2021-10-08CVE-2021-3312: An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.25%
65.6th percentile
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alkacon | opencms | — | — |
| alkacon | opencms | — | — |
| alkacon | opencms | — | — |
| pugjs | pug | >= 0 < 3.0.1 | 3.0.1 |
| pugjs | pug-code-gen | >= 0 < 2.0.3 | 2.0.3 |
| pugjs | pug-code-gen | >= 3.0.0 < 3.0.2 | 3.0.2 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XML External Entity Reference in org.opencms:opencms-core
osv·2021-10-12
CVE-2021-3312 [MEDIUM] XML External Entity Reference in org.opencms:opencms-core
XML External Entity Reference in org.opencms:opencms-core
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
GHSA
XML External Entity Reference in org.opencms:opencms-core
ghsa·2021-10-12
CVE-2021-3312 [MEDIUM] CWE-611 XML External Entity Reference in org.opencms:opencms-core
XML External Entity Reference in org.opencms:opencms-core
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
GHSA
Remote code execution via the `pretty` option.
ghsa·2021-03-03
CVE-2021-21353 [MEDIUM] CWE-74 Remote code execution via the `pretty` option.
Remote code execution via the `pretty` option.
### Impact
If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
### Patches
Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter.
### Workarounds
If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
### References
Original report: https://github.com/pugjs/pug/issues/3312
### For more information
If you believe you have fo
No detection rules found.
No public exploits indexed.
2021-10-08
Published