CVE-2024-5521

Source
https://cve.org/CVERecord?id=CVE-2024-5521
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5521.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-5521
Published
2024-05-30T11:11:30.216Z
Modified
2026-07-08T08:10:18.073120950Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-Site Scripting stored in Alkacon OpenCMS
Details

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/5xxx/CVE-2024-5521.json",
    "cna_assigner": "INCIBE",
    "cwe_ids": [
        "CWE-79"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "16"
                },
                {
                    "last_affected": "16"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/alkacon/opencms-core

Affected ranges

Type
GIT
Repo
https://github.com/alkacon/opencms-core
Events
Database specific
{
    "cpe": "cpe:2.3:a:alkacon:opencms:16.0.0:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "16.0.0"
        },
        {
            "last_affected": "16.0.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

16.*
16.0.0
Other
build_16_0_0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5521.json"