CVE-2020-11991

Apache Cocoon 2.1.12 is vulnerable to XML injection via the StreamGenerator when parsing user-supplied XML containing external entities. This can allow reading arbitrary files on the server. The connected template explicitly notes the issue and recommends upgrading to Apache Cocoon 2.1.13 or late...

CVE-2023-49733

CVE-2023-49733 affects Apache Cocoon 2.2.0 up to versions before 2.3.0. It is an XML External Entity (XXE) reference vulnerability due to improper restriction, enabling potentially sensitive data exposure and other impacts as described in the sources. The recommended remediations are upgrading to...

CVE-2025-24783

Apache Cocoon is affected by an Incorrect Usage of Seeds in the PRNG for continuation identifiers. The PRNG is seeded with startup time, making continuation IDs potentially predictable and enabling access to unauthorized continuations. The issue is stated to affect all versions of Apache Cocoon, ...

CVE-2022-45135

The CVE-2022-45135 vulnerability affects Apache Cocoon (notably the DatabaseCookieAuthenticatorAction) with an SQL injection flaw caused by improper neutralization of special elements in SQL commands. Affected versions are 2.2.0 up to 2.2.x prior to 2.3.0; remediation is to upgrade to Apache Coco...

CVE-2003-1172

The CVE-2003-1172 entry concerns a directory traversal vulnerability in the view-source sample file of Apache Cocoon 2.1 and 2.2. The flaw allows remote attackers to access arbitrary files by supplying a .. (dot dot) sequence in the filename parameter. This is a server-side path traversal issue w...