CVE-2023-6379
Published: 13 December 2023
Summary
CVE-2023-6379 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Alkacon Opencms. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-6379 is a cross-site scripting vulnerability, tracked under CWE-79, that affects Alkacon Software OpenCMS versions 14 and 15 when using the Mercury template. The flaw permits a remote attacker to supply a crafted JavaScript payload that executes in a victim's browser session, producing a CVSS 3.1 score of 5.4 with network attack vector, low complexity, no required privileges, and user-interaction dependence.
An unauthenticated attacker can deliver the malicious payload through the affected template and thereby obtain limited control over the victim's browsing session, including the ability to read or manipulate certain data within the session scope.
Public advisories published by INCIBE detail multiple vulnerabilities in Alkacon Software OpenCMS and are available at the referenced INCIBE notice page.
The associated EPSS score reached a peak of 0.2249 and currently stands at 0.1862; this movement does not represent a material rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58619
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of…
more
their browsing session.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.