CVE-2019-13237 in OpenCmsinfo

Summary

by MITRE

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/08/2025

The vulnerability identified as CVE-2019-13237 affects Alkacon OpenCms versions 10.5.4 and 10.5.5, presenting a critical local file inclusion flaw that exposes multiple administrative resources to unauthorized access. This vulnerability stems from insufficient input validation and sanitization within the web application's parameter handling mechanisms, allowing malicious actors to manipulate request parameters to access sensitive server files through the affected jsp pages. The impacted resources include clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and the administrative history settings page, all of which process user-supplied parameters without adequate validation, creating potential attack vectors for arbitrary file access.

The technical implementation of this vulnerability demonstrates a classic path traversal attack pattern where attacker-controlled input is directly incorporated into file system operations without proper sanitization. When these jsp pages receive parameters such as file paths or resource identifiers, the application fails to validate or sanitize these inputs before using them in file operations. This flaw enables attackers to traverse the file system and access files that should remain protected, potentially including configuration files, database credentials, application source code, or other sensitive resources. The vulnerability operates at the application layer and can be exploited through simple parameter manipulation in HTTP requests, making it particularly dangerous as it requires minimal technical expertise to exploit.

The operational impact of this vulnerability extends beyond simple information disclosure, as successful exploitation could lead to complete system compromise and unauthorized access to sensitive organizational data. Attackers could potentially access database connection strings, application configuration files, or even execute arbitrary code if the application has write permissions to critical directories. This vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal) classifications, representing a fundamental failure in input validation and access control mechanisms. The attack surface includes not only the listed jsp files but also the broader administrative interface, potentially allowing attackers to escalate privileges and gain unauthorized access to the entire OpenCms system.

Organizations utilizing affected OpenCms versions should implement immediate mitigations including patching to the latest available version, implementing strict input validation for all user-supplied parameters, and configuring proper access controls for administrative resources. The recommended security measures include applying the vendor-provided security patches, implementing web application firewalls to monitor and filter suspicious requests, and conducting thorough security assessments of the application's file access mechanisms. Additionally, organizations should review and restrict file system permissions for the OpenCms installation directories, ensuring that the application runs with minimal required privileges and that sensitive files are properly protected. This vulnerability also maps to ATT&CK technique T1059.007 (Command and Scripting Interpreter: JavaScript) and T1068 (Exploitation for Privilege Escalation) within the adversary tactics framework, highlighting the potential for both information gathering and system compromise activities.

Reservation

07/04/2019

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.07346

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!