CVE-2024-42699
Description
Cross Site Scripting vulnerability in Create/Modify article function in Alkacon OpenCMS 17.0 allows remote attacker to inject javascript payload via image title sub-field in the image field
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Alkacon OpenCMS 17.0 allows remote attackers to inject arbitrary JavaScript via the image title sub-field in the image field during article creation or modification.
Vulnerability
Overview
CVE-2024-42699 describes a stored Cross-Site Scripting (XSS) vulnerability in the Create/Modify article function of Alkacon OpenCMS version 17.0. The root cause is the insufficient sanitization of user input supplied through the image title sub-field within the image field component. An attacker can inject arbitrary JavaScript payloads, which are then stored and rendered as part of the article content [1][2].
Exploitation and
Attack Surface
To exploit this vulnerability, an attacker needs to have the ability to create or modify articles in the OpenCMS backend. The attack does not require advanced privileges beyond the standard content author role. The malicious payload is delivered via the image title field, a normally trusted metadata input. When other users (including administrators) view the affected article in a web browser, the payload executes in their browser session. The attack is classified as stored (persistent) XSS because the injected script is saved on the server and served to every subsequent visitor [3].
Impact
Successful exploitation allows the remote attacker to execute arbitrary JavaScript within the context of the victim's browser session. This can lead to session hijacking, forced redirections, theft of authentication cookies, defacement of the website content displayed to other users, or other actions that the victimized user is permitted to perform within the application. Because the script executes in the context of the OpenCMS domain, the attacker can perform actions on behalf of the victim, including administrative actions if the victim has elevated privileges [2][3].
Mitigation
Status
At the time of publication, the official NVD entry does not list a patch version or vendor advisory. The vendor’s GitHub repository [1] may provide future updates. No workarounds are documented in the available references. Security teams using OpenCMS 17.0 should monitor the vendor’s release notes and consider applying the principle of least privilege to article author roles until a fixed version is released. The vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencms:opencms-coreMaven | <= 17.0 | — |
Affected products
3- Alkacon/OpenCMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.