OpenCMS 10.5.4 Cross Site Scripting

2019-05-10T00:00:00
ID PACKETSTORM:152826
Type packetstorm
Reporter Pramod Rana
Modified 2019-05-10T00:00:00

Description

                                        
                                            `Description: OpenCMS v10.5.4 and before is vulnerable to cross site  
scripting in New User module for parameter First Name and Last Name  
  
Impacted URL is  
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp  
  
Payload used in PoC is "TestXSS<img+src=x+onmouseover=alert(document.domain)  
  
Further details is available here  
https://github.com/alkacon/opencms-core/issues/635  
  
Already requested for CVE, yet to receive it.  
  
  
`