Moderate severityNVD Advisory· Published May 16, 2023· Updated Jan 23, 2025

CVE-2023-31544

Description

A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts via the Title field in the Upload Image module.

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in Alkacon OpenCMS version 11.0.0.0, specifically within the Upload Image module. The flaw allows an attacker to inject arbitrary web scripts or HTML into the Title field when uploading an image. The injected payload is stored on the server and executed when any user, including administrators, views the folder containing the uploaded image. [1][4]

Exploitation

Details

To exploit this vulnerability, an attacker must first have a valid user account with at least Editor role privileges, enabling them to log into the application. The attacker then uploads an image file to any folder and inserts a malicious JavaScript payload into the Title field of the file. The payload is stored and rendered unsanitized when the file's title is loaded in the folder view. No additional authentication or network position is required beyond being a logged-in user with upload permissions. [4]

Impact

Successful exploitation permits arbitrary script execution in the context of the victim's browser. This can lead to session hijacking, cookie theft, or access to sensitive information displayed on the affected page. The attack can affect any user who navigates to the folder containing the malicious file, including administrators with elevated privileges. [1][4]

Mitigation

The vendor has addressed this vulnerability in a commit to the opencms-core repository. The fix changes the title rendering in the gallery result view from directly concatenating user input into HTML strings to using DOM-based methods like setInnerText(), which properly escapes the content and prevents script injection. Users are strongly advised to update to a patched version of OpenCMS that includes this commit. [3]

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencms:opencms-coreMaven	< 11.0.1	11.0.1

Affected products

alkacon/OpenCMSdescription
ghsa-coords
pkg:maven/org.opencms/opencms-core
Range: < 11.0.1

Patches

21bfbeaf6b03

Fixed XSS issue in gallery result view (github issue #652).

https://github.com/alkacon/opencms-coregWestenbergerAug 27, 2019via ghsa

commit

1 file changed · +16 −6

src-gwt/org/opencms/ade/galleries/client/ui/CmsResultItemWidget.java+16 −6 modified

@@ -39,6 +39,8 @@
 import org.opencms.gwt.shared.CmsAdditionalInfoBean;
 import org.opencms.gwt.shared.CmsListInfoBean;
 
+import com.google.gwt.dom.client.Element;
+import com.google.gwt.user.client.DOM;
 import com.google.gwt.user.client.ui.HTML;
 
 /**
@@ -155,6 +157,13 @@ public CmsResultItemWidget(CmsResultItemBean infoBean, boolean showPath) {
 
     }
 
+    private static Element appendDom(Element parent, String name) {
+
+        Element child = DOM.createElement(name);
+        parent.appendChild(child);
+        return child;
+    }
+
     /**
      * Gets the image tile.<p>
      *
@@ -213,16 +222,17 @@ protected void onDetach() {
      */
     private String generateTooltipHtml(CmsListInfoBean infoBean) {
 
-        StringBuffer result = new StringBuffer();
-        result.append("<p><b>").append(CmsClientStringUtil.shortenString(infoBean.getTitle(), 70)).append("</b></p>");
+        Element root = DOM.createElement("div");
+        appendDom(appendDom(root, "p"), "b").setInnerText(CmsClientStringUtil.shortenString(infoBean.getTitle(), 70));
         if (infoBean.hasAdditionalInfo()) {
             for (CmsAdditionalInfoBean additionalInfo : infoBean.getAdditionalInfo()) {
-                result.append("<p>").append(additionalInfo.getName()).append(":&nbsp;");
-                // shorten the value to max 45 characters
-                result.append(CmsClientStringUtil.shortenString(additionalInfo.getValue(), 45)).append("</p>");
+                appendDom(root, "p").setInnerText(
+                    additionalInfo.getName()
+                        + ":\u00a0"
+                        + CmsClientStringUtil.shortenString(additionalInfo.getValue(), 45));
             }
         }
-        return result.toString();
+        return root.getInnerHTML();
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m44f-9jhg-59crghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-31544ghsaADVISORY
github.com/alkacon/opencms-core/commit/21bfbeaf6b038e2c03bb421ce7f0933dd7a7633eghsaWEB
github.com/alkacon/opencms-core/issues/652ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000