6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-5520

GHSA ID

GHSA-vg6x-pchq-98mg

EPSS Score

0.34766%

CWE

CWE-79

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5520

CVE-2024-5520: OpenCMS Cross-Site Scripting vulnerability

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user: with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the title field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-5520

GHSA ID

GHSA-vg6x-pchq-98mg

EPSS Score

0.34766%

CWE

CWE-79

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencms:opencms-core	maven	= 16.0	17.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis involved examining the patches for CVE-2024-5520 in OpenCMS. The patches modified two classes, CmsCreateSiteThread and CmsDeleteSiteDialog, to properly escape site titles when generating output, thus fixing an XSS vulnerability. The functions run() in CmsCreateSiteThread and getContent() in CmsDeleteSiteDialog were identified as vulnerable because they directly handled user input (site titles) without proper sanitization before outputting it.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Two *ross-Sit* S*riptin* vuln*r**iliti*s **v* ***n *is*ov*r** in *lk**on's Op*n*MS *****tin* v*rsion **, w*i** *oul* *llow * us*r: wit* su**i*i*nt privil***s to *r**t* *n* mo*i*y w** p***s t*rou** t** **min p*n*l, **n *x**ut* m*li*ious J*v*S*ript *o

Reasoning

T** *n*lysis involv** *x*minin* t** p*t***s *or *V*-****-**** in Op*n*MS. T** p*t***s mo*i*i** two *l*ss*s, `*ms*r**t*Sit*T*r***` *n* `*ms**l*t*Sit**i*lo*`, to prop*rly *s**p* sit* titl*s w**n **n*r*tin* output, t*us *ixin* *n XSS vuln*r**ility. T**

6.4

Basic Information

Concerned about an active attack path?

CVE-2024-5520: OpenCMS Cross-Site Scripting vulnerability

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI