CVE-2023-42344
published 2026-05-08CVE-2023-42344: Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.
PriorityP277high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.23%
80.5th percentile
Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.
Detection & IOCsextracted from sources · hover to see the quote
url/opencms/cmisatom/cmis-online/query
url/cmisatom/cmis-online/query
- →HTTP POST to /opencms/cmisatom/cmis-online/query or /cmisatom/cmis-online/query with Content-Type: application/xml;charset=UTF-8 and an XXE payload is the attack vector for this vulnerability.
- →Vulnerable response contains both 'root:.*:0:0:' (passwd file content) and 'invalidArgument' in the HTTP 400 response body, indicating successful XXE file read via error message leakage.
- →The server banner 'Apache-Chemistry-OpenCMIS/0.7.0' in HTTP responses can be used to fingerprint the vulnerable Chemistry servlet endpoint. ↗
- →The error response leaks file contents inside a CmisInvalidArgumentException / FileNotFoundException error message, which is the out-of-band exfiltration channel for this XXE. ↗
- →FOFA fingerprint query 'OpenCms-9.5.3' can be used to identify internet-exposed OpenCMS instances potentially in the vulnerable range (9.0.0–10.5.0).
- ·Affected versions are OpenCMS 9.0.0 through 10.5.0 only; 10.5.1 and later are patched. ↗
- ·The vulnerability is unauthenticated — no credentials or session are required to reach the cmis-online/query endpoint. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information
ghsa·2026-05-08
CVE-2023-42344 [HIGH] CWE-611 Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information
Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information
Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.
GHSA
GHSA-rcc6-6q2f-m2cw: Alkacon OpenCms before 10
ghsa_unreviewed·2026-05-08
CVE-2023-42344 [HIGH] CWE-611 GHSA-rcc6-6q2f-m2cw: Alkacon OpenCms before 10
Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.
VulnCheck
OpenCMS XML Unauthenticated XXE Vulnerability
vulncheck·2023
CVE-2023-42344 OpenCMS XML Unauthenticated XXE Vulnerability
OpenCMS XML Unauthenticated XXE Vulnerability
OpenCMS is vulnerable to an unauthenticated external entity vulnerability that could allow for code execution via malicious requests to the OpenCMS server.
Affected: Alkacon Software OpenCMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-02&host_type=src&vulnerability=cve-2023-42344; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-06&host_type=src&vulnerability=cve-2023-42344; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-08&host_type=src&vulnerabi
No detection rules found.
Nuclei
OpenCMS - XML external entity (XXE)
nuclei
CVE-2023-42344 OpenCMS - XML external entity (XXE)
OpenCMS - XML external entity (XXE)
users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
Template:
id: CVE-2023-42344
info:
name: OpenCMS - XML external entity (XXE)
author: 0xr2r
severity: high
description: |
users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
impact: |
Unauthenticated att
Qualys
OpenCms CVE-2023-42344: XXE Exposure Detailed | Qualys
blogs_qualys·2023-12-08
CVE-2023-42344 OpenCms CVE-2023-42344: XXE Exposure Detailed | Qualys
#### Table of Contents
- About CVE-2023-42344
- Detecting the Vulnerability with Qualys WAS
- Solution
- Credits
- Additional Contributors
OpenCms is a popular open-source Java framework developed by Alkacon Software. OpenCms provides a platform for users to design and develop web applications. The latest version of the framework is 16.0.
## About CVE-2023-42344
CVE-2023-42344 is a critical vulnerability where users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
## Detecting the Vulnerability with Qualys WAS
Qualys has released QID 1507
Qualys
OpenCMS Unauthenticated XXE Vulnerability (CVE-2023-42344)
blogs_qualys·2023-12-08
CVE-2023-42344 OpenCMS Unauthenticated XXE Vulnerability (CVE-2023-42344)
## Table of Contents
About CVE-2023-42344
Detecting the Vulnerability with Qualys WAS
Solution
Credits
Additional Contributors
OpenCms is a popular open-source Java framework developed by Alkacon Software . OpenCms provides a platform for users to design and develop web applications. The latest version of the framework is 16.0.
## About CVE-2023-42344
CVE-2023-42344 is a critical vulnerability where users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
## Detecting the Vulnerability with Qualys WAS
Qualys has released QID 150773: Ope
2026-05-08
Published
Exploited in the wild