CVE-2023-42345

Vulnerability

Overview

CVE-2023-42345 is a Cross-Site Scripting (XSS) vulnerability in Alkacon OpenCms, an open-source Java content management framework. The flaw resides in the updateModelGroups.jsp page and affects versions prior to OpenCms 16. The root cause is insufficient sanitization of user-supplied input, allowing an attacker to inject arbitrary JavaScript or HTML code that is later executed in the context of a victim's browser [1][2][3][4].

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker must be able to submit crafted input to the updateModelGroups.jsp endpoint. The attack does not require authentication if the endpoint is exposed to unauthenticated users, though in typical deployments some level of access may be needed. The injected payload is stored on the server and subsequently rendered when other users (including administrators) access the affected page, making this a stored XSS attack. The attacker does not need to be on the same network; the attack can be carried out remotely over HTTP [1][2][3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who views the compromised page. This can lead to session hijacking, theft of sensitive data, defacement, or further attacks against the OpenCms instance and its users. Because the payload is stored, the impact can persist until the malicious input is removed or the vulnerability [1][2][3][4].

Mitigation

Users should upgrade to OpenCms version 16 or later, which contains the fix for this vulnerability. No official workaround has been provided, but restricting access to the updateModelGroups.jsp endpoint and applying input validation can reduce risk. The vulnerability has been published in the GitHub Advisory Database and referenced by NVD [3][4].