Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenCMS 7.5.0 Cross Site Scripting

🗓️ 07 Aug 2009 00:00:00Reported by Katie FrenchType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

OpenCMS 7.5.0 Cross-Site Scripting, Phishing, and Application Error Overvie

Code
`Application: OpenCms  
  
Version: 7.5.0  
  
Hardware: Tomcat/Oracle  
  
Vulnerability: Cross-Site Scripting, Phishing Through Frames,  
Application Error  
  
  
Overview:  
  
Various URL's within the deployed OpenCms application version 7.5.0 are  
open to attacks, including Cross-Site Scripting, Phishing Through Frames  
and Application Error. Some of these attacks allow injection of scripts  
into a parameter in the request. The application should filter out such  
hazardous characters from user input.  
  
Example follows:  
Vulnerable URL (from the OpenCms VFS):  
/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/  
help_head.jsp?&homelink=>"'><script>alert("This%20site%20has%20been%20co  
mpromised")</script>  
  
Results:  
Insertion of the script into the homelink parameter successfully embeds  
the script in the response and is executed once the page is loaded into  
the user's browser (i.e. vulnerable to Cross-Site Scripting)  
  
  
  
Below find the complete list of vulnerable URL's (all paths are relative  
to the OpenCms VFS). All issues are of High risk.  
  
  
  
/opencms/opencms/system/modules/org.opencms.workplace.help/elements/sear  
ch.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): query  
  
Vulnerability(s): Cross-Site Scripting  
  
  
  
/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/  
help_head.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): homelink  
  
Vulnerability(s): Cross-Site Scripting, Phishing Through Frames  
  
  
  
/opencms/opencms/system/workplace/commons/preferences.jsp  
  
Remediation: Verify that parameter values are in their expected ranges  
and types. Do not output debugging error messages and exceptions  
  
Parameter(s): tabdicopyfilemode, tabdicopyfoldermode,  
tabdideletefilemode  
  
Vulnerability(s): Application Error  
  
  
  
/opencms/opencms/system/workplace/commons/property.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter: resource  
  
Vulnerability(s): Cross-Site Scripting  
  
  
  
/opencms/opencms/system/workplace/commons/publishproject.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): title, cancel, dialogtype, framename, progresskey,  
projected, projectname, publishsiblings, relatedresources, subresources  
  
Vulnerability(s): Cross-Site Scripting, Phishing Through Frames, SQL  
Injection  
  
  
  
/opencms/opencms/system/workplace/commons/publishresource.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s):  
  
Vulnerability(s): Cross-Site Scripting  
  
  
  
/opencms/opencms/system/workplace/commons/unlock.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): title  
  
Vulnerability(s): Cross-Site Scripting, Phishing Through Frames  
  
  
  
/opencms/opencms/system/workplace/editors/editor.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): resource  
  
Vulnerability(s): Cross-Site Scripting  
  
  
  
/opencms/opencms/system/workplace/editors/dialogs/elements.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): elementlanguage, resource, title  
  
Vulnerability(s): Cross-Site Scripting, Phishing Through Frames  
  
  
  
/opencms/opencms/system/workplace/locales/en/help/index.html  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): workplaceresource  
  
Vulnerability(s): Phishing Through Frames  
  
  
  
/opencms/opencms/system/workplace/views/admin/admin-main.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): path  
  
Vulnerability(s): Cross-Site Scripting  
  
  
  
/opencms/opencms/system/workplace/views/explorer/contextmenu.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): acttarget  
  
Vulnerability(s): Cross-Site Scripting, Phishing Through Frames  
  
  
  
/opencms/opencms/system/workplace/views/explorer/explorer_files.jsp  
  
Remediation: Filter out hazardous characters from user input  
  
Parameter(s): mode  
  
Vulnerability(s): Cross-Site Scripting  
  
  
  
  
  
Katie French  
  
CGI Federal  
  
12601 Fair Lakes Circle  
  
Fairfax,VA 22033  
  
FFX: (703) 227-5642  
  
RRB: (202) 564-0475  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Aug 2009 00:00Current
opencmscross-site scriptingphishingapplication errorfilteringuser inputtomcatoraclevulnerable urlsremediationparameter filteringhigh risk
19