Research

Multiple Vulnerabilities in OpenCMS 11.0.2

Researchers:

Paul Ritchie & Sam Moore

As part of our ongoing commitment to Open Source security Pentest Ltd conducted a research project into OpenCMS version 11.0.2. This found ten (10) vulnerabilities that have been summarised in the table below:

CVE CVSS Summary

CVE-2021-42212
4.8 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Persistent XSS allowed “admin” level users to send payloads to any user via messages. Admin level privileges were required for this making exploitation unlikely.
CVE-2021-42209
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Persistent XSS allowed users with at least “editor” privileges to trigger a payload on the publish screen. Access as an “editor” could be used to exploit this and could gain “admin” level privileges.
CVE-2021-42210
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Persistent XSS allowed users with at least “editor” privileges to trigger a payload on the sitemap screen. Access as an “editor” could be used to exploit this and could gain “admin” level privileges.
CVE-2021-42213
7.6 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Persistent XSS allowed users with at least “author” privileges to upload HTML files. The file can contain Cross-Site Scripting or Cross Site Request Forgery payloads which will launch from the same origin.
CVE-2021-42211
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
DOM based XSS within admin interface’s “workspace” UI. An unauthenticated remote attacker could exploit this.
CVE-2021-42215
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reflected XSS through the “policy” URL parameter. An unauthenticated remote attacker could exploit this.
CVE-2021-42214
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
A user without the ability to delete files via the UI could do so using WebDAV. The permissions model was inconsistent across the two channels. A low privileged user could delete the site content to trigger a denial-of-service.
CVE-2021-42206
8.3 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
By exploiting ClickJacking an unauthenticated attacker could obtain admin access. To do so, they would need to entice an “admin” level user to interact with a website while they were authenticated to OpenCMS.
CVE-2021-42208
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An unvalidated redirect and forward existed. If an authenticated user clicked on a malicious link they were redirected to the exploit site. If the user was unauthenticated they are prompted to authenticate prior to redirection occurring. This existed in the “/system/login/index.html” script via the “requestedResource” parameter.
CVE-2021-42207
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An unvalidated redirect and forward existed. If an authenticated user clicked on a malicious link they were redirected to the exploit site. If the user was unauthenticated they are prompted to authenticate prior to redirection occurring. This existed in the “/system/login/index.html” script via the “loginRedirect” parameter.

These have been patched in the most recent release (12.0.0). Please update all installations of OpenCMS to the latest levels as soon as possible.

Pentest have provided two additional blog posts which show full proof of concept code to go from unauthenticated to in full control over a vulnerable OpenCMS server:

The latest research and insights from Pentest

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the information security confidence you need.

Contact us today >
Pentest - CREST Accreditation
Pentest ISO 9001 Accreditation
Pentest ISO 27001 Accreditation
Pentest - Cyber Essentials Plus Accreditation
Pentest - OSCP Accreditation

/contact Us

/connect

Twitter Linkedin-in Github Youtube

/services

/about

/links

Pentest Limited is registered in England and Wales with company number 11925182

Registered address: 22 Great James Street, London, WC1N 3ES

VAT registration No: 331802826​

© 2019 - Present. Pentest Limited. All rights reserved.