CVE-2023-42344
Deferred Deferred - Pending Action
Alkacon OpenCms XXE Vulnerability Exposes Sensitive Data

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: MITRE

Description
Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2023-42344
EUVD
EUVD-2023-46797
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alkacon opencms to 10.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote unauthenticated attackers to obtain sensitive information via an XXE attack, which could lead to unauthorized access to confidential data.

Such unauthorized disclosure of sensitive information may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

However, specific impacts on compliance or regulatory requirements are not detailed in the provided information.

Executive Summary

This vulnerability exists in Alkacon OpenCms versions before 10.5.1. It allows remote unauthenticated attackers to obtain sensitive information by exploiting an XML External Entity (XXE) attack through the cmis-online/query feature on a Chemistry servlet.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information to remote attackers without requiring authentication. This could compromise confidential data managed by the affected system.

Mitigation Strategies

The vulnerability in Alkacon OpenCms before version 10.5.1 can be mitigated by upgrading to OpenCMS version 10.5.1 or later, where the issue has been patched.

Detection Guidance

This vulnerability can be detected by sending a specially crafted POST request to the vulnerable endpoint `/opencms/cmisatom/cmis-online/query` that includes a malicious XML payload exploiting the XXE flaw.

A common detection method involves sending an XML payload designed to read sensitive files such as `/etc/passwd`. If the response contains typical content from this file, such as the string "root:x:", it confirms the presence of the vulnerability.

For example, using a tool like curl, you can send a POST request with an XML body to test for the vulnerability.

  • curl -X POST https://targetsite/opencms/cmisatom/cmis-online/query -H "Content-Type: application/xml" --data-binary @payload.xml

Where `payload.xml` contains the malicious XML designed to trigger the XXE and extract `/etc/passwd`.

Alternatively, automated scanners like Nuclei have templates specifically for CVE-2023-42344 that perform this check by sending the crafted payload and looking for the "root:x:" string in the response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-42344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart