cbcvebase.
CVE-2023-42344
published 2026-05-08

CVE-2023-42344: Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

PriorityP277high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.23%
80.5th percentile
Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

Detection & IOCsextracted from sources · hover to see the quote

url/opencms/cmisatom/cmis-online/query
url/cmisatom/cmis-online/query
otherServer: Apache-Chemistry-OpenCMIS/0.7.0
  • HTTP POST to /opencms/cmisatom/cmis-online/query or /cmisatom/cmis-online/query with Content-Type: application/xml;charset=UTF-8 and an XXE payload is the attack vector for this vulnerability.
  • Vulnerable response contains both 'root:.*:0:0:' (passwd file content) and 'invalidArgument' in the HTTP 400 response body, indicating successful XXE file read via error message leakage.
  • The server banner 'Apache-Chemistry-OpenCMIS/0.7.0' in HTTP responses can be used to fingerprint the vulnerable Chemistry servlet endpoint.
  • The error response leaks file contents inside a CmisInvalidArgumentException / FileNotFoundException error message, which is the out-of-band exfiltration channel for this XXE.
  • FOFA fingerprint query 'OpenCms-9.5.3' can be used to identify internet-exposed OpenCMS instances potentially in the vulnerable range (9.0.0–10.5.0).
  • ·Affected versions are OpenCMS 9.0.0 through 10.5.0 only; 10.5.1 and later are patched.
  • ·The vulnerability is unauthenticated — no credentials or session are required to reach the cmis-online/query endpoint.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.