OpenKM Document Management Community vulnerable to Cross Site Scripting
OpenKM Document Management Community version 6.3.10.
INCIBE has coordinated the publication of a vulnerability in OpenKM Document Management Community version software, with the internal code INCIBE-2021-346, which has been discovered by Jorge Gutiérrez Valderrama.
CVE-2021-3628 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.
This vulnerability has been solved by OpenKM in its version 6.3.11.
OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter.
This vulnerability has been solved by OpenKM in its 6.3.11 version.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
Timeline:
25/02/2021 – Researchers discovery.
26/02/2021 – Researchers contact with INCIBE.
25/05/2021 – OpenKM confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
27/08/20201 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.