CVE-2006-3934
EPSS 0.69%Alkacon OpenCMS Absolute Path Traversal via pathname in filePath parameter
Published: 5/1/2022Modified: 6/20/2025
Also known as:GHSA-64hc-4jx3-62jp
Description
Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter.
Affected packages (1)
- Maven/org.opencms:opencms-corefrom 0, < 6.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2006-3934
- PATCHhttps://github.com/alkacon/opencms-core
- WEBhttp://securityreason.com/securityalert/1302
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/28000
- WEBhttps://github.com/alkacon/opencms-core/commit/8f1c04c5a16fe8d0bdbd13b65bf2a7b5cf100ff9
- WEBhttp://www.opencms.org/export/download/opencms/opencms_6.2.2_src.zip
- WEBhttp://www.opencms.org/opencms/en/shownews.html?id=1002