CVE-2018-8811

Name of the Vulnerable Software and Affected Versions OpenCMS version 10.5.3

Description A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. The system stores uploaded content, such as SVG files, in the CMS content repository without modification. If an SVG file contains a script, it may be executed, potentially leading to malicious activity. To exploit this issue, a user must have an account in the CMS as a content manager.

Recommendations For OpenCMS version 10.5.3, consider disabling the user role.jsp page in system/workplace/admin/accounts/ until a patch is available to prevent privilege escalation requests. Restrict access to the CMS content repository to minimize the risk of exploitation. Avoid allowing registered users to upload potentially malicious content, such as SVG files containing scripts, until the issue is resolved.