CVE-2024-5520

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field.

Published: May 30, 2024
Updated: Apr 30, 2025
CVE: CVE-2024-5520
GHSA: GHSA-vg6x-pchq-98mg
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.opencms / opencms-core	16.0	16.0.x
org.opencms / opencms-core	16.0	17.0
alkacon / opencms	16.0.0	16.0.0.x

https://github.com/alkacon/opencms-core/commit/b05a5aca0f2b03042ddf2b2bb45fe2243a4084a7
https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-stored-alkacon-opencms

Vulnerability Database

290,206

CVE-2024-5520