CVE-2024-5520

Name of the Vulnerable Software and Affected Versions Alkacon's OpenCMS version 16

Description Two Cross-Site Scripting issues have been discovered in Alkacon's OpenCMS, which could allow a user with sufficient privileges to create and modify web pages through the admin panel to execute malicious JavaScript code after inserting code in the title field. Another issue allows users with the roles of gallery editor or VFS resource manager to upload images in the .svg format containing JavaScript code, which will be executed when another user accesses the image.

Recommendations For version 16, consider disabling the ability to insert code in the title field and restrict the upload of .svg images until a patch is available. Restrict access to the admin panel and limit the roles of gallery editor and VFS resource manager to minimize the risk of exploitation.