Home / Early Warning / Security Advisories / OpenKM XXE injection

OpenKM XXE injection

Publication date: 
4 - Alta
Affected resources: 

OpenKM Document Management Community, version 6.3.10 and before.


INCIBE has coordinated the publication of a vulnerability in OpenKM, with the internal code INCIBE-2022-0831, which has been discovered by Keval Shah.

CVE-2022-2131 has been assigned to this vulnerability. A CVSS v3.1 base score of 8,5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L.


This vulnerability has been solved by the OpenKm team in the 6.3.11 version, released on 20/05/2021.


OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack.

CWE-611: improper restriction of XML external entity reference (XXE).

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración