Home / Early Warning / Security Advisories / OpenKM Document Management Community vulnerable to Cross Site Scripting

OpenKM Document Management Community vulnerable to Cross Site Scripting

Publication date: 
08/27/2021
Importance: 
3 - Media
Affected resources: 

OpenKM Document Management Community version 6.3.10.

Description: 

INCIBE has coordinated the publication of a vulnerability in OpenKM Document Management Community version software, with the internal code INCIBE-2021-346, which has been discovered by Jorge Gutiérrez Valderrama.

CVE-2021-3628 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6  has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Solution: 

This vulnerability has been solved by OpenKM in its version 6.3.11.

Detail: 

OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter.

This vulnerability has been solved by OpenKM in its 6.3.11 version.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Timeline:

25/02/2021 – Researchers discovery.
26/02/2021 – Researchers contact with INCIBE.
25/05/2021 – OpenKM confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
27/08/20201 – The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración