CVE-2019-11445
Description
OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site, via frontend/FileUpload and admin/repository_export.jsp. This is achieved by interfering with the Filesystem path control in the admin's Export field. As a result, attackers can gain remote code execution through the application server with root privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenKM 6.3.2 through 6.3.7 allows authenticated users to upload a malicious JSP file and move it to the web root, leading to remote code execution as root.
Vulnerability
OpenKM versions 6.3.2 through 6.3.7 contain a path traversal and arbitrary file upload vulnerability in the administrative interface. An authenticated attacker can upload a malicious JSP file via frontend/FileUpload and then manipulate the "Filesystem path" control in the admin's Export field (admin/repository_export.jsp) to move that file to the home directory of the site (the web root). This allows the attacker to place a web-accessible JSP shell. [1][2]
Exploitation
An attacker must first authenticate to the OpenKM application with administrative privileges. The attacker then uploads a JSP payload using the file upload functionality. Next, they abuse the Export feature by intercepting the request and altering the path parameter to point to the site's home directory. The server moves the uploaded file to that location, making it accessible via HTTP. The Metasploit module automates these steps. [1][2]
Impact
Successful exploitation grants the attacker remote code execution on the application server with root privileges, leading to full compromise of the host system (confidentiality, integrity, and availability). [1]
Mitigation
Upgrade to OpenKM version 6.3.8 or later, which was released to fix this vulnerability. If upgrading is not possible, restrict administrative account access and monitor file uploads. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. [1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: v6.3.3, v6.3.5, v6.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the "Filesystem path" (`fsPath`) parameter in `admin/repository_export.jsp` allows an attacker to move an uploaded JSP file from the repository into the application's web-accessible home directory."
Attack vector
An authenticated attacker (default credentials `okmAdmin`/`admin`) first creates a directory under `/okm:root` via the GWT `OKMFolderService.create` call [ref_id=1][ref_id=2]. The attacker then uploads a malicious JSP file into that directory through `frontend/FileUpload` using a multipart POST request [ref_id=1][ref_id=2]. Next, the attacker reads the Tomcat `catalina.base` path from `admin/system_properties.jsp` and crafts a request to `admin/repository_export.jsp` with the `fsPath` parameter set to the Tomcat webapps directory, causing the server to move the uploaded JSP file from the repository into the application's home directory [ref_id=1][ref_id=2]. Finally, the attacker accesses the JSP file directly via the web server, achieving remote code execution with the privileges of the application server (often root) [ref_id=1][ref_id=2].
Affected code
The vulnerability involves the `frontend/FileUpload` endpoint (used to upload a malicious JSP file into `/okm:root` directories) and the `admin/repository_export.jsp` page, where the "Filesystem path" (`fsPath`) parameter in the Export field is not properly validated [ref_id=1][ref_id=2]. The attacker also leverages the `frontend/Folder` GWT-RPC service to create a staging directory under `/okm:root`.
What the fix does
No patch is included in the bundle. The advisory describes the root cause as insufficient control over the "Filesystem path" parameter in the admin Export field (`repository_export.jsp`) [ref_id=1][ref_id=2]. A proper fix would require validating or sanitizing the `fsPath` parameter to prevent directory traversal outside the intended export directory, and restricting the file-move operation so that uploaded JSP files cannot be relocated into the web application's deployable directories.
Preconditions
- authAttacker must have valid credentials for the OpenKM admin interface (default: okmAdmin/admin)
- networkThe OpenKM application must be accessible over HTTP/HTTPS on the network (default port 8080)
- configThe application server (e.g., Tomcat) must have write permissions to its own webapps directory
- inputAttacker must be able to send crafted HTTP requests to the frontend/FileUpload and admin/repository_export.jsp endpoints
Reproduction
The Metasploit module in [ref_id=1] and [ref_id=2] provides full reproduction steps. In summary: (1) authenticate as `okmAdmin`; (2) read the X-GWT-Permutation from `frontend.nocache.js`; (3) create a directory under `/okm:root` via the GWT Folder RPC; (4) upload a malicious JSP file to that directory via `frontend/FileUpload`; (5) read the Tomcat base path from `admin/system_properties.jsp`; (6) move the JSP file to the webapps/OpenKM directory by calling `admin/repository_export.jsp` with a crafted `fsPath` parameter; (7) access the JSP file at `/OpenKM/<payload>.jsp` to trigger code execution.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- pentest.com.tr/exploits/OpenKM-DM-6-3-7-Remote-Command-Execution-Metasploit.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/46526mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.