Lucene search

[email protected]CVE-2019-13237

HistoryAug 27, 2019 - 12:15 p.m.

CVE-2019-13237

2019-08-2712:15:12

CWE-22

[email protected]

web.nvd.nist.gov

cve-2019-13237

alkacon

opencms

local file inclusion

vulnerability

nvd

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

82.7%

JSON

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

Affected configurations

NVD

Node

alkaconopencms_apollo_templateMatch10.5.4

alkaconopencms_apollo_templateMatch10.5.5

CPENameOperatorVersion
alkacon:opencms_apollo_templatealkacon opencms apollo templateeq10.5.4
alkacon:opencms_apollo_templatealkacon opencms apollo templateeq10.5.5