CVE-2024-41447: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Alkacon OpenCMS version 17.0. The vulnerability was disclosed on April 18, 2025, and affects the Create/Modify article functionality of the content management system (CVE Details, MITRE CVE).

The vulnerability exists in the author parameter under the Create/Modify article function, allowing attackers to execute arbitrary web scripts or HTML through a crafted payload. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. It is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (CVE Details).

When exploited, this vulnerability allows attackers to inject and execute malicious web scripts or HTML code that will be executed in the context of other users' browsers when they view the affected article. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (Exploit DB).

Users are advised to upgrade to the latest release of OpenCMS. The vulnerability has been addressed in newer versions of the software (Exploit DB).