Cross-Site Request Forgery Vulnerability in OpenKM Community Edition
CVE-2024-35475

6.4MEDIUM

Key Information:

Vendor: OpenKM
Vendor: CVE Published:; 22 May 2024

What is CVE-2024-35475?

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in OpenKM Community Edition affecting versions up to and including 6.3.12. The flaw exists within the /admin/DatabaseQuery component, enabling malicious actors to exploit the vulnerability to manipulate users with administrative privileges. This manipulation allows attackers to issue arbitrary SQL commands, potentially leading to unauthorized database operations and compromising the integrity of sensitive data. Security measures are essential to mitigate the risks associated with this vulnerability, particularly ensuring that administrative access is well-protected against CSRF attacks.

References

https://github.com/carsonchan12345/OpenKM-CSRF-PoC

https://github.com/carsonchan12345/CVE-2024-35475

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2024

CVE-2024-35475 Data

JSON