Filtered by vendor Openkm Subscriptions
Filtered by product Openkm Subscriptions
Total 14 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-50072 1 Openkm 1 Openkm 2024-11-21 5.4 Medium
A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS.
CVE-2022-47414 1 Openkm 1 Openkm 2024-11-21 5.4 Medium
If an attacker has access to the console for OpenKM (and is authenticated), a stored XSS vulnerability is reachable in the document "note" functionality.
CVE-2022-47413 1 Openkm 1 Openkm 2024-11-21 5.4 Medium
Given a malicious document provided by an attacker, the OpenKM DMS is vulnerable to a stored (persistent, or "Type II") XSS condition.
CVE-2022-40317 1 Openkm 1 Openkm 2024-11-21 5.4 Medium
OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element.
CVE-2022-3969 1 Openkm 1 Openkm 2024-11-21 2.6 Low
A vulnerability was found in OpenKM up to 6.3.11 and classified as problematic. Affected by this issue is the function getFileExtension of the file src/main/java/com/openkm/util/FileUtils.java. The manipulation leads to insecure temporary file. Upgrading to version 6.3.12 is able to address this issue. The name of the patch is c069e4d73ab8864345c25119d8459495f45453e1. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-213548.
CVE-2022-2131 1 Openkm 1 Openkm 2024-11-21 8.5 High
OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack.
CVE-2021-3628 1 Openkm 1 Openkm 2024-11-21 4.6 Medium
OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter.
CVE-2021-33950 1 Openkm 1 Openkm 2024-11-21 7.5 High
An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function.
CVE-2019-11445 1 Openkm 1 Openkm 2024-11-21 N/A
OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site, via frontend/FileUpload and admin/repository_export.jsp. This is achieved by interfering with the Filesystem path control in the admin's Export field. As a result, attackers can gain remote code execution through the application server with root privileges.
CVE-2014-9017 1 Openkm 1 Openkm 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 (build 23338) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field in a Task to frontend/index.jsp.
CVE-2014-8957 1 Openkm 1 Openkm 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter.
CVE-2012-2316 1 Openkm 1 Openkm 2024-11-21 N/A
Cross-site request forgery (CSRF) vulnerability in servlet/admin/AuthServlet.java in OpenKM 5.1.7 and other versions before 5.1.8-2 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary code via the script parameter to admin/scripting.jsp.
CVE-2012-2315 1 Openkm 1 Openkm 2024-11-21 N/A
admin/Auth in OpenKM 5.1.7 and other versions before 5.1.8-2 does not properly enforce privileges for changing user roles, which allows remote authenticated users to assign administrator privileges to arbitrary users via the userEdit action.
CVE-2008-2226 1 Openkm 1 Openkm 2024-11-21 N/A
Unspecified vulnerability in the export feature in OpenKM before 2.0 allows remote attackers to export arbitrary documents via unspecified vectors. NOTE: some of these details are obtained from third party information.