OpenKM XXE injection

Posted date
4 - Alta
Affected Resources

OpenKM Document Management Community, version 6.3.10 and before.


INCIBE has coordinated the publication of a vulnerability in OpenKM, with the internal code INCIBE-2022-0831, which has been discovered by Keval Shah.

CVE-2022-2131 has been assigned to this vulnerability. A CVSS v3.1 base score of 8,5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L.


This vulnerability has been solved by the OpenKm team in the 6.3.11 version, released on 20/05/2021.


OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in file without the required security flags, allowing an attacker to perform a XML external entity injection attack.

CWE-611: improper restriction of XML external entity reference (XXE).

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list

botón arriba