CVE-2023-42343

A stored Cross-Site Scripting (XSS) vulnerability exists in Alkacon OpenCms versions prior to 10.5.1. The flaw occurs in the cmis-online/type parameter, where user-supplied input is not properly sanitized before being reflected back to users [1]. This allows an attacker to inject malicious HTML or JavaScript code.

To exploit the vulnerability, an attacker can craft a specially crafted URL or manipulate the parameter to include arbitrary script payloads. No authentication is required to trigger the XSS, but the victim must open the malicious link. The attack surface is broad as the parameter is used in standard OpenCms functionality related to CMIS integration [4].

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The impact is limited to the browser session but can compromise user accounts and sensitive data.

Alkacon has released OpenCms version 10.5.1 which addresses this vulnerability. Users are strongly advised to upgrade to the latest version to mitigate the risk. No workarounds have been publicly documented.