CVE-2024-41446 – This stored XSS vulnerability in Alkacon OpenCM... (How to Fix)

Q: What is the severity of CVE-2024-41446?

CVE-2024-41446 has a CVSS score of 5.4 (MEDIUM). This stored XSS vulnerability in Alkacon OpenCMS v17.0 allows attackers to inject malicious scripts into the image copyright attribute when creating or modifying articles. When users view affected articles, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Organizations using OpenCMS v17.0 for content management are affected.

📋 TL;DR

This stored XSS vulnerability in Alkacon OpenCMS v17.0 allows attackers to inject malicious scripts into the image copyright attribute when creating or modifying articles. When users view affected articles, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Organizations using OpenCMS v17.0 for content management are affected.

💻 Affected Systems

Products:

Alkacon OpenCMS

Versions: v17.0

Operating Systems: All platforms running OpenCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation when using the Create/Modify article function with image uploads.

📦 What is this software?

Opencms by Alkacon

View all CVEs affecting Opencms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain administrative access to the CMS, deface websites, or redirect users to malicious sites, potentially compromising the entire content management system and associated data.

🟠

Likely Case

Attackers inject malicious scripts that steal user session cookies or credentials when users view compromised articles, leading to account takeover and unauthorized content manipulation.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized, preventing execution while maintaining normal CMS functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create/modify articles. Public proof-of-concept demonstrates payload injection into image copyright fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: http://alkacon.com

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. Apply any available patches. 3. Verify fix by testing image parameter input validation.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize image copyright field inputs, removing or encoding HTML/script tags.

Implement custom validation in OpenCMS image handling modules to strip script tags and encode special characters.

Content Security Policy

all

Implement strict Content Security Policy headers to prevent inline script execution and restrict script sources.

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers.

🧯 If You Can't Patch

Disable image copyright field functionality or make it read-only for non-administrative users.
Implement web application firewall rules to block XSS payload patterns in image parameter requests.

🔍 How to Verify

Check if Vulnerable:

Test by creating an article with an image containing a script payload in the copyright field (e.g., <script>alert('XSS')</script>) and check if it executes when viewing the article.

Check Version:

Check OpenCMS version in administration panel or via system information page.

Verify Fix Applied:

Attempt the same payload injection; successful fix should display the script as plain text without execution.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to article creation/modification endpoints with script-like content in image parameters
Multiple failed login attempts followed by article modifications

Network Indicators:

HTTP requests containing script tags or JavaScript in image copyright fields
Unusual outbound connections from CMS server after article views

SIEM Query:

source="opencms" AND (http_method="POST" AND uri_path="/articles" AND http_body CONTAINS "<script>")

📊 Metadata

CVE ID: CVE-2024-41446

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (20.3th percentile)

Published: April 21, 2025

Last Updated: April 24, 2025

🔗 References

http://alkacon.com Product
http://opencms.com Product
https://github.com/Sidd545-cr/CVE/blob/main/CVE-2024-41446%20-%20Stored%20XSS%20in%20image%20copyright%20attribute.pdf Exploit,Third Party Advisory
https://github.com/Sidd545-cr/CVE/blob/main/CVE-2024-41446%20-%20Stored%20XSS%20in%20image%20copyright%20attribute.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41446, you might also want to check these: