Alkacon OpenCms XXE Vulnerability in Cmis Atom Pub Servlet Allowing Information Disclosure

A vulnerability allowing XML External Entity (XXE) processing has been identified in Alkacon OpenCms versions prior to 10.5.1. This issue resides within the Apache Chemistry library, which was introduced in OpenCms 9. The vulnerability allows remote unauthenticated attackers to exploit the 'CmisAtomPubServlet' by injecting external entities that the server then processes, potentially leading to unauthorized access to sensitive files such as the '/etc/passwd' file.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive files on the server, which could include confidential information or application source code.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the '/opencms/cmisatom/cmis-online/query' endpoint. The request must include a 'Content-Type' header set to 'application/cmisquery+xml' and a 'cmis:statement' element that references an injected entity designed to read a sensitive file, such as '/etc/passwd'.

Remediation

Users are advised to update to Alkacon OpenCms version 10.5.1 or later, where this vulnerability has been patched.