Cyber Resilience

CVE-2023-42344

High

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.1610 94.9th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42344 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Watchtowr (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Alkacon OpenCms versions before 10.5.1 contain an XML external entity (XXE) vulnerability tracked as CWE-611. The flaw resides in the Chemistry servlet and is reachable through the cmis-online/query endpoint, enabling remote attackers to supply crafted XML that triggers external entity processing.

Unauthenticated attackers with network access can exploit the issue without user interaction or credentials. Successful attacks allow limited disclosure of sensitive information along with partial integrity and availability impacts, corresponding to the reported CVSS 7.3 vector.

Public references describe the vulnerability in detail and include detection templates, but the supplied data contains no explicit statements on patches, configuration changes, or other mitigations. The associated EPSS score has remained flat at 0.1610 with no observed upward trajectory after disclosure.

EU & UK References

Vulnerability details

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

CWE(s)

Related Threats

CVEs Like This One

CVE-2025-10713Shared CWE-611
CVE-2026-40682Shared CWE-611
CVE-2026-41066Shared CWE-611
CVE-2025-0162Shared CWE-611
CVE-2026-33913Shared CWE-611
CVE-2025-68493Shared CWE-611
CVE-2026-24400Shared CWE-611
CVE-2024-46603Shared CWE-611
CVE-2025-12531Shared CWE-611
CVE-2025-49535Shared CWE-611

Affected Assets

Watchtowr
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References