Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50072 | 1 Openkm | 1 Openkm | 2024-02-05 | N/A | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS. | |||||
| CVE-2021-33950 | 1 Openkm | 1 Openkm | 2024-02-04 | N/A | 7.5 HIGH |
| An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function. | |||||
| CVE-2022-2131 | 1 Openkm | 1 Openkm | 2024-02-04 | N/A | 9.8 CRITICAL |
| OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack. | |||||
| CVE-2022-40317 | 1 Openkm | 1 Openkm | 2024-02-04 | N/A | 5.4 MEDIUM |
| OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element. | |||||
| CVE-2021-3628 | 1 Openkm | 1 Openkm | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter. | |||||
| CVE-2019-11445 | 1 Openkm | 1 Openkm | 2024-02-04 | 9.0 HIGH | 7.2 HIGH |
| OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site, via frontend/FileUpload and admin/repository_export.jsp. This is achieved by interfering with the Filesystem path control in the admin's Export field. As a result, attackers can gain remote code execution through the application server with root privileges. | |||||
| CVE-2014-8957 | 1 Openkm | 1 Openkm | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter. | |||||
| CVE-2014-9017 | 1 Openkm | 1 Openkm | 2024-02-04 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 (build 23338) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field in a Task to frontend/index.jsp. | |||||
| CVE-2012-2316 | 1 Openkm | 1 Openkm | 2024-02-04 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in servlet/admin/AuthServlet.java in OpenKM 5.1.7 and other versions before 5.1.8-2 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary code via the script parameter to admin/scripting.jsp. | |||||
| CVE-2012-2315 | 1 Openkm | 1 Openkm | 2024-02-04 | 4.0 MEDIUM | N/A |
| admin/Auth in OpenKM 5.1.7 and other versions before 5.1.8-2 does not properly enforce privileges for changing user roles, which allows remote authenticated users to assign administrator privileges to arbitrary users via the userEdit action. | |||||
| CVE-2008-2226 | 1 Openkm | 1 Openkm | 2024-02-04 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in the export feature in OpenKM before 2.0 allows remote attackers to export arbitrary documents via unspecified vectors. NOTE: some of these details are obtained from third party information. | |||||