CVE-2024-41447

Vulnerability

CVE-2024-41447 is a stored cross-site scripting (XSS) vulnerability found in Alkacon OpenCMS v17.0. The root cause is improper sanitization of the author parameter within the Create/Modify article function. An attacker can craft a payload containing arbitrary JavaScript or HTML, which is then stored in the system and executed when other users view the affected article. [1][3][4]

Exploitation

To exploit this vulnerability, an attacker must have the ability to create or modify articles within OpenCMS. No special privileges beyond standard content editing are required. The crafted payload is injected into the author field and saved. When any user clicks the "Read More" button on the published article, the stored script executes within the context of that user's browser session. This has been confirmed in tests on modern browsers like Brave and Firefox. [3][4]

Impact

Successful exploitation allows an attacker to execute arbitrary web scripts or HTML in the victim's browser session. This can lead to session hijacking, defacement, theft of sensitive data, or other malicious actions performed under the victim's authentication context. The attack is persistent, meaning every visitor to the affected article is a potential target. [1][3][4]

Mitigation

The vendor has addressed this issue; users are advised to upgrade to the latest release of OpenCMS. No workaround is detailed in the public advisories. The vulnerability was publicly disclosed with a proof-of-concept, and exploit code is available online, highlighting the need for prompt remediation. [2][3][4]