Login Sign Up

CVE-2024-42699

6.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS 17.0 allows remote attackers to inject malicious JavaScript payloads via the image title field when creating or modifying articles. When exploited, this can lead to session hijacking, credential theft, or website defacement. Users of OpenCMS 17.0 who allow article creation/modification are affected.

💻 Affected Systems

Products:
  • Alkacon OpenCMS
Versions: 17.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires article creation/modification permissions. The vulnerability exists in the image field's title sub-field during article editing.

📦 What is this software?

Opencms by Alkacon

View all CVEs affecting Opencms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, administrative privilege escalation, data exfiltration, and persistent website compromise affecting all users who view malicious articles.

🟠

Likely Case

Session hijacking for authenticated users, credential theft via phishing, and website defacement through injected content.

🟢

If Mitigated

Limited impact with proper content sanitization, CSP headers, and user awareness training.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires article creation/modification access. The GitHub reference contains detailed proof-of-concept documentation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor Alkacon OpenCMS security advisories for updates. Consider upgrading to newer versions if available.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and HTML encoding for all image title inputs in article creation/modification functions.

Content Security Policy (CSP)

all

Implement strict CSP headers to prevent execution of inline JavaScript and restrict script sources.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

  • Disable article creation/modification for untrusted users
  • Implement web application firewall (WAF) rules to block XSS payloads in image title fields

🔍 How to Verify

Check if Vulnerable:

Test by creating/modifying an article with JavaScript payload in image title field (e.g., <script>alert('XSS')</script>) and check if it executes when viewing the article.

Check Version:

Check OpenCMS version in administration interface or configuration files.

Verify Fix Applied:

After implementing workarounds, test with same payload to confirm it's properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual article modifications, suspicious image title entries containing script tags or JavaScript patterns

Network Indicators:

  • HTTP requests with JavaScript payloads in image title parameters

SIEM Query:

web_logs WHERE url_path CONTAINS '/opencms/' AND (request_body CONTAINS '<script' OR request_body CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2024-42699
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0.21% exploit probability (43.1th percentile)
Published: April 21, 2025
Last Updated: April 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42699, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)