CVE-2019-11445

Name of the Vulnerable Software and Affected Versions OpenKM versions 6.3.2 through 6.3.7

Description The issue allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site. This is achieved by exploiting the Filesystem path control in the admin's Export field, specifically through the frontend/FileUpload and admin/repository export.jsp. As a result, attackers can gain remote code execution through the application server with root privileges.

Recommendations For OpenKM versions 6.3.2 through 6.3.7, consider restricting access to the frontend/FileUpload and admin/repository export.jsp endpoints to minimize the risk of exploitation. Additionally, restrict the ability to upload and move files within the /okm:root directories to prevent malicious file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.