CVE-2023-37602

Vulnerability

Overview

CVE-2023-37602 describes an arbitrary file upload vulnerability in Alkacon OpenCMS v15.0, specifically within the /workplace#!explorer component [1]. The official description notes that an attacker can upload a crafted PNG file to achieve arbitrary code execution [2]. This indicates insufficient validation of file content or upload permissions, enabling the upload of files that may contain executable code, such as PHP or JSP scripts disguised as PNG images.

Attack

Vector and Prerequisites

An attacker must first authenticate to the OpenCMS instance to access the explorer component [3]. The exploitation process involves navigating to the file upload functionality and selecting a specially crafted file (e.g., a PNG with embedded PHP code) [2]. No additional privileges beyond standard upload rights are required, making this a medium-complexity attack that could be executed by users with limited access.

Impact

Successful exploitation allows arbitrary code execution on the underlying server in the context of the web application [2]. This can lead to full compromise of the content management system, including data exfiltration, site defacement, or lateral movement to internal networks.

Mitigation

Status

As of the publication date (2023-07-20), no official patch has been announced. Users should review the vendor's GitHub repository for updates [1] and consider restricting file upload capabilities to trusted users or implementing additional file content validation.