VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 8, 2021· Updated Aug 3, 2024

CVE-2021-3312

CVE-2021-3312

Description

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An XXE vulnerability in Alkacon OpenCms 11.0-11.0.2 allows authenticated editors to exfiltrate server files by uploading a crafted SVG.

Vulnerability

An XML external entity (XXE) vulnerability exists in Alkacon OpenCms versions 11.0, 11.0.1, and 11.0.2. The bug is located in the SVG upload processing, where the XML parser does not disable external entity resolution, enabling attackers to include external entities in a crafted SVG document [2][4]. The vulnerable code path is reachable when a user with edit privileges uploads an SVG file.

Exploitation

To exploit this vulnerability, an attacker must be a remote authenticated user with edit privileges on the OpenCms instance. The attacker uploads a specially crafted SVG document containing an XXE payload that references an external file (e.g., via a <!ENTITY xxe SYSTEM "file:///etc/passwd"> declaration). When the server processes the SVG, the XML parser resolves the external entity, causing the file content to be included in the resulting response or otherwise exfiltrated.

Impact

Successful exploitation allows the attacker to exfiltrate arbitrary files from the server's file system, leading to information disclosure of sensitive data such as configuration files, credentials, or user data [2]. The attacker gains read access to the file system under the privileges of the OpenCms process.

Mitigation

The vulnerability was fixed in a commit to the OpenCms core repository [4], which modifies the XML resolver to deny external entity references and throw an exception. The fix is expected to be included in a future release; users should apply the patch or update to the latest version once available. As a workaround, administrators can disable SVG upload functionality or restrict edit permissions to trusted users [2].

References
  1. NVD - CVE-2021-3312
  2. Fixed XXE issue in SVG processing (github issue #725). · alkacon/opencms-core@92e0354

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.opencms:opencms-coreMaven
>= 11.0.0, < 12.0.012.0.0

Affected products

2

Patches

1
92e035423aa6

Fixed XXE issue in SVG processing (github issue #725).

https://github.com/alkacon/opencms-coregWestenbergerJan 27, 2021via ghsa
commit
2 files changed · +6 3
  • src/org/opencms/file/types/CmsResourceTypeImage.java+2 0 modified
    @@ -45,6 +45,7 @@
 import org.opencms.security.CmsPermissionSet;
 import org.opencms.security.CmsSecurityException;
 import org.opencms.util.CmsStringUtil;
+import org.opencms.xml.CmsXmlEntityResolver;
 
 import java.io.ByteArrayInputStream;
 import java.util.ArrayList;
@@ -608,6 +609,7 @@ protected List<CmsProperty> tryAddImageSizeFromSvg(byte[] content, List<CmsPrope
         try {
             double w = -1, h = -1;
             SAXReader reader = new SAXReader();
+            reader.setEntityResolver(new CmsXmlEntityResolver(null));
             Document doc = reader.read(new ByteArrayInputStream(content));
             Element node = (Element)(doc.selectSingleNode("/svg"));
             if (node != null) {
  • src/org/opencms/xml/CmsXmlEntityResolver.java+4 3 modified
    @@ -432,7 +432,8 @@ public InputSource resolveEntity(String publicId, String systemId) throws IOExce
             }
 
         } else if (systemId.substring(0, systemId.lastIndexOf("/") + 1).equalsIgnoreCase(
-            CmsConfigurationManager.DEFAULT_DTD_PREFIX)) {
+            CmsConfigurationManager.DEFAULT_DTD_PREFIX)//
+        ) {
             // default DTD location in the org.opencms.configuration package
             String location = null;
             try {
@@ -447,8 +448,8 @@ public InputSource resolveEntity(String publicId, String systemId) throws IOExce
                 LOG.error(Messages.get().getBundle().key(Messages.LOG_DTD_NOT_FOUND_1, location), t);
             }
         }
-        // use the default behaviour (i.e. resolve through external URL)
-        return null;
+        LOG.error("Entity reference not allowed: " + systemId, new IOException());
+        throw new IOException("Entity reference not allowed (see log for details)");
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.