CVE-2023-42346
XXE Vulnerability in Alkacon OpenCms
Publication date: 2026-05-08
Last updated on: 2026-05-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alkacon | opencms | to 16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Alkacon OpenCms versions before 16 and involves an XML External Entity (XXE) attack. It occurs when the <!DOCTYPE> declaration in an XML document refers to an external host, allowing an attacker to exploit the system by processing external entities.
How can this vulnerability impact me? :
An XXE vulnerability can allow attackers to read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by exploiting the XML parser's handling of external entities. This can lead to unauthorized data access or disruption of service.