OpenKM Document Management Community vulnerable to Cross Site Scripting

Posted date 27/08/2021
Importance
3 - Medium
Affected Resources

OpenKM Document Management Community version 6.3.10.

Description

INCIBE has coordinated the publication of a vulnerability in OpenKM Document Management Community version software, with the internal code INCIBE-2021-346, which has been discovered by Jorge Gutiérrez Valderrama.

CVE-2021-3628 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6  has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Solution

This vulnerability has been solved by OpenKM in its version 6.3.11.

Detail

OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter.

This vulnerability has been solved by OpenKM in its 6.3.11 version.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Timeline:

25/02/2021 – Researchers discovery.
26/02/2021 – Researchers contact with INCIBE.
25/05/2021 – OpenKM confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
27/08/20201 – The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list
Product sheet
OpenKM update documentation
OpenKM update information
Related GitHub Issue
Etiquetas