CVE-2019-13237

Vulnerability

Description

CVE-2019-13237 is a Local File Inclusion (LFI) vulnerability affecting Alkacon OpenCms versions 10.5.4 and 10.5.5 [2]. The issue resides in multiple JSP and resource files, including clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp [1][2]. These files fail to properly sanitize user-supplied input, allowing an attacker to include and read arbitrary files from the server's filesystem [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable resources. No authentication is required to access these endpoints [2]. The attack can be launched remotely over the network. By manipulating parameters such as file paths, the attacker can force the application to include files like /etc/passwd or configuration files containing sensitive data [1].

Impact

Successful exploitation allows an attacker to read local files on the server, including application source code, configuration files containing credentials or database connection strings, and potentially sensitive operating system files [1][2]. This can lead to further compromise of the system. The vulnerability provides a high impact on confidentiality, as the attacker gains access to system and application files [2].

Mitigation

As of the publication date, patches have been released in a more recent version of OpenCms [4]. Users are strongly advised to upgrade to a patched version of OpenCms immediately. If upgrading is not possible, access to the vulnerable JSP resources should be restricted through web server configuration or by removing the affected files, though this may impact application functionality [1].