CVE-2024-5521

Name of the Vulnerable Software and Affected Versions OpenCMS version 16

Description The issue allows a user with the roles of gallery editor or VFS resource manager to upload images in the .svg format containing JavaScript code. This code will be executed when another user accesses the image.

Recommendations For OpenCMS version 16, consider restricting the upload of .svg files or disabling the ability for gallery editors and VFS resource managers to upload images until a fix is available. As a temporary workaround, restrict access to the image upload feature to minimize the risk of exploitation.