OpenKM XXE injection
OpenKM Document Management Community, version 6.3.10 and before.
INCIBE has coordinated the publication of a vulnerability in OpenKM, with the internal code INCIBE-2022-0831, which has been discovered by Keval Shah.
CVE-2022-2131 has been assigned to this vulnerability. A CVSS v3.1 base score of 8,5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L.
This vulnerability has been solved by the OpenKm team in the 6.3.11 version, released on 20/05/2021.
OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack.
CWE-611: improper restriction of XML external entity reference (XXE).
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.
