Lucene search
K
AlkaconOpencms

32 matches found

CVE
CVE
added 2025/04/21 12:0 a.m.130 views

CVE-2024-41446

The CVE-2024-41446 entry concerns a stored XSS in Alkacon OpenCMS v17.0. The vulnerability affects the image parameter under the Create/Modify article function, allowing an attacker to inject arbitrary web scripts or HTML and potentially execute them in a victim’s browser. The provided technical ...

5.4CVSS5.6AI score0.00272EPSS
CVE
CVE
added 2019/08/27 11:9 a.m.116 views

CVE-2019-13236

Alkacon OpenCms 10.5.4 and 10.5.5 are affected by multiple Reflected and Stored XSS vulnerabilities in the system/workplace/ management interface. Root cause is not explicitly detailed beyond XSS in the provided documents. The issues could allow execution of arbitrary scripts in authenticated use...

6.1CVSS5.8AI score0.03114EPSS
Web
CVE
CVE
added 2021/10/08 2:44 p.m.91 views

CVE-2021-3312

CVE-2021-3312 describes an XML External Entity (XXE) vulnerability in Alkacon OpenCms (11.0, 11.0.1, 11.0.2). The underlying issue allows remote authenticated users with edit privileges to exfiltrate files from the server’s filesystem by uploading a crafted SVG document. The vulnerability is tied...

6.5CVSS6.1AI score0.01249EPSS
CVE
CVE
added 2023/12/13 10:52 a.m.88 views

CVE-2023-6379

Affected software: Alkacon Software Open CMS (Mercury template) v14–v15. Vulnerability: Cross-site scripting (XSS) via the Mercury template. Unauthenticated attackers can inject arbitrary JavaScript through multiple parameters on OpenCMS Mercury pages, potentially leading to session cookie theft ...

6.1CVSS5.8AI score0.01752EPSS
CVE
CVE
added 2025/04/18 12:0 a.m.82 views

CVE-2024-41447

CVE-2024-41447 — Alkacon OpenCMS 17.0 stored XSS . A stored cross-site scripting flaw exists in the author parameter used in the Create/Modify article workflow, allowing an attacker to inject arbitrary web scripts/HTML. The vulnerability affects OpenCMS v17.0 and can be triggered by crafted paylo...

5.4CVSS5.7AI score0.00209EPSS
CVE
CVE
added 2024/05/30 11:11 a.m.81 views

CVE-2024-5521

The CVE-2024-5521 entry describes stored Cross-Site Scripting in Alkacon OpenCMS 16 via SVG file uploads. The root cause is improper validation of .svg images, which, when uploaded by users with gallery editor or VFS resource manager roles, allows JavaScript in the SVG to execute when another use...

6.4CVSS6.6AI score0.0026EPSS
CVE
CVE
added 2018/03/20 7:0 a.m.70 views

CVE-2018-8811

OpenCMS 10.5.3 is affected by a CSRF vulnerability in system/workplace/admin/accounts/user_role.jsp that can lead to privilege escalation by hijacking an admin session. Exploitation requires the attacker to have a CMS account with content-manager privileges; multiple public exploits (Exploit-DB, ...

8.8CVSS9AI score0.02228EPSS
Web
CVE
CVE
added 2023/07/20 12:0 a.m.70 views

CVE-2023-37602

CVE-2023-37602 affects Alkacon OpenCMS v15.0, specifically the /workplace#!explorer component. The Arbitrary file upload vulnerability allows an attacker to upload a crafted PNG to execute arbitrary code. The NVD entry reports a CVSS v3.1 base score of 6.1 (Medium) with Network access, Low attack...

6.1CVSS6.6AI score0.00586EPSS
CVE
CVE
added 2024/05/30 11:10 a.m.69 views

CVE-2024-5520

OpenCMS 16 by Alkacon has two stored Cross-Site Scripting vulnerabilities affecting the title field that let users with sufficient privileges create/modify pages and execute malicious JavaScript when pages are viewed. The issue arises from insufficient input validation in the title field. Several...

6.4CVSS6.6AI score0.00283EPSS
CVE
CVE
added 2023/12/13 10:54 a.m.68 views

CVE-2023-6380

CVE-2023-6380 : Open Redirect in Alkacon Software OpenCms. Affected: OpenCms 14–15 with the Mercury template. Root cause: lack of sanitization of the URI parameter enables an attacker to craft a link and lure a user to a malicious site, potentially facilitating phishing or malware distribution. I...

6.1CVSS6.1AI score0.01594EPSS
CVE
CVE
added 2005/12/22 11:0 a.m.66 views

CVE-2005-4475

OpenCms 6.0.3 and earlier is affected by a Cross-site Scripting (XSS) vulnerability in unspecified search parameters. Root cause: improper handling of user-supplied search inputs leading to script/HTML injection. Impact (per provided data): partial confidentiality, integrity, and availability. No...

6.8CVSS6AI score0.01326EPSS
CVE
CVE
added 2018/03/20 7:0 a.m.66 views

CVE-2018-8815

CVE-2018-8815 concerns Alkacon OpenCMS 10.5.3 where the gallery feature is vulnerable to cross-site scripting (XSS). A remote attacker can inject arbitrary web script or HTML by supplying a malicious SVG image, due to an underlying issue in the gallery function. The available sources confirm the ...

4.6CVSS4.5AI score0.01405EPSS
CVE
CVE
added 2025/04/21 12:0 a.m.64 views

CVE-2024-42699

Summary: CVE-2024-42699 is a Cross-Site Scripting (XSS) vulnerability in Alkacon OpenCMS 17.0, exploitable via the Create/Modify article image field title sub-field. The root cause is insufficient input sanitization allowing an attacker to inject JavaScript that is stored and later reflected to u...

6.5CVSS6.6AI score0.00286EPSS
CVE
CVE
added 2006/07/31 10:0 p.m.63 views

CVE-2006-3935

Alkacon OpenCms before 6.2.2 has improper access control in system/workplace/views/admin/admin-main.jsp, allowing remote authenticated users to perform six admin actions (broadcast messages, list users, add webusers, upload import/export files, upload modules, read the log file) by manipulating t...

6.5CVSS6.4AI score0.01811EPSS
Web
CVE
CVE
added 2019/05/08 3:34 p.m.62 views

CVE-2019-11818

CVE-2019-11818 affects Alkacon OpenCMS v10.5.4 and earlier. The stored XSS vulnerability resides in the New User module (opencms/system/workplace/admin/accounts/user_new.jsp), allowing attackers to inject arbitrary JavaScript via First Name or Last Name fields; the payload is executed when the af...

6.1CVSS5.9AI score0.00765EPSS
Web
CVE
CVE
added 2023/05/16 12:0 a.m.62 views

CVE-2023-31544

CVE-2023-31544 describes a stored Cross-site Scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 . The issue arises when a crafted payload is injected into the Title field in the Upload Image module , allowing an attacker to execute arbitrary web scripts or HTML in affected contexts. The C...

5.4CVSS5.2AI score0.00403EPSS
CVE
CVE
added 2006/05/24 11:0 p.m.61 views

CVE-2006-2571

The CVE-2006-2571 entry refers to an XSS vulnerability in Alkacon OpenCms (versions 6.0.0, 6.0.2, 6.0.3) where arbitrary web script/HTML can be injected through the query parameter in a search action on search.html. This is triggered remotely via the vulnerable search feature, enabling script exe...

2.6CVSS5.7AI score0.01358EPSS
CVE
CVE
added 2006/07/31 10:0 p.m.61 views

CVE-2006-3933

Alkacon OpenCms prior to 6.2.2 is affected by a Cross‑site Scripting (XSS) vulnerability: remote authenticated users can inject arbitrary web script or HTML via the message body. The vulnerability is documented under CVE-2006-3933 with OpenCms 6.2.2 as the referenced fixed/bellwether release in t...

3.5CVSS5.3AI score0.01099EPSS
CVE
CVE
added 2006/07/31 10:0 p.m.61 views

CVE-2006-3936

Alkacon OpenCms is affected by a JSP source disclosure in system/workplace/editors/editor.jsp prior to version 6.2.2. The vulnerability allows an authenticated user to read the source code of arbitrary JSP files by supplying the file path via the resource parameter (demonstrated with index.jsp). ...

4CVSS6.5AI score0.01356EPSS
Web
CVE
CVE
added 2008/03/25 11:0 p.m.61 views

CVE-2008-1510

CVE-2008-1510 describes a Cross-site scripting (XSS) vulnerability in Alkacon OpenCMS 7.0.3, specifically in the page system/workplace/admin/accounts/users_list.jsp. An attacker can inject arbitrary script/HTML via the (1) searchfilter or (2) listSearchFilter parameters, potentially affecting use...

4.3CVSS5.5AI score0.01462EPSS
Web
CVE
CVE
added 2006/07/31 10:0 p.m.59 views

CVE-2006-3934

Affected software : Alkacon OpenCms prior to 6.2.2. Vulnerability : Absolute path traversal in downloadTrigger.jsp via the filePath parameter, allowing remote authenticated users to download arbitrary files. Root cause : improper handling/validation of absolute pathnames in filePath. Impact : pot...

4CVSS6.4AI score0.01432EPSS
CVE
CVE
added 2013/08/09 9:0 p.m.59 views

CVE-2013-4600

OpenCms

4.3CVSS5.7AI score0.01878EPSS
Web
CVE
CVE
added 2021/10/19 8:15 a.m.56 views

CVE-2021-25968

OpenCMS versions 10.5.0–11.0.2 are affected by a stored XSS in the Sitemap functionality. Low-privileged application users can store malicious scripts, which execute in a victim’s browser when the vulnerable page is opened. Exploitation details or patches are not provided in the supplied documents.

5.4CVSS5AI score0.00498EPSS
CVE
CVE
added 2019/05/08 3:35 p.m.55 views

CVE-2019-11819

CVE-2019-11819 affects Alkacon OpenCMS v10.5.4 and earlier. The vulnerability is a CSV (Excel Macro) Injection in the New User module (path: /opencms/system/workplace/admin/accounts/user_new.jsp) triggered via the First Name or Last Name fields. The connected documents confirm the same issue acro...

7.8CVSS7.8AI score0.01001EPSS
Web
CVE
CVE
added 2008/03/12 5:0 p.m.54 views

CVE-2008-1301

The CVE-2008-1301 entry concerns Alkacon OpenCms (versions 7.0.3 and 7.0.4). The vulnerability is an absolute path traversal in logfileViewSettings.jsp (path: system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp) that allows remote authenticated administrators to read arbitrary fi...

4CVSS6.3AI score0.02255EPSS
Web
CVE
CVE
added 2015/03/19 2:0 p.m.53 views

CVE-2015-2351

CVE-2015-2351 describes multiple XSS flaws in Alkacon OpenCms 9.5.1 and earlier caused by insufficient input filtering. Attackers can inject arbitrary script/HTML via five vectors: homelink in system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp; workplaceresource in system/workpl...

4.3CVSS5.9AI score0.01892EPSS
Web
CVE
CVE
added 2005/12/16 11:0 a.m.51 views

CVE-2005-4294

Alkacon OpenCms

4.3CVSS5.9AI score0.01374EPSS
CVE
CVE
added 2008/02/27 7:0 p.m.51 views

CVE-2008-1045

Alkacon OpenCMS 7.0.3 contains a Cross-site Scripting (XSS) vulnerability in the file tree navigation function (system/workplace/views/explorer/tree_files.jsp). The issue allows remote attackers to inject arbitrary web script or HTML via the resource parameter. No other concrete details (such as ...

4.3CVSS5.7AI score0.01465EPSS
Web
CVE
CVE
added 2008/03/12 5:0 p.m.51 views

CVE-2008-1300

CVE-2008-1300 describes a cross-site scripting (XSS) vulnerability in Alkacon OpenCms, specifically in the Logfile Viewer Settings function (system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp) in OpenCms 7.0.3 and 7.0.4. The flaw allows remote attackers to inject arbitrary web s...

4.3CVSS5.7AI score0.01511EPSS
Web
CVE
CVE
added 2008/04/11 8:28 p.m.50 views

CVE-2008-1753

CVE-2008-1753 is an XSS vulnerability in Alkacon OpenCMS 7.0.3, specifically in system/workplace/admin/workplace/sessions.jsp where the searchfilter parameter is not properly sanitized. The issue (different vector from CVE-2008-1510) allows remote attackers to inject arbitrary script/HTML, as doc...

4.3CVSS5.5AI score0.01107EPSS
Web
CVE
CVE
added 2026/02/19 8:38 a.m.18 views

CVE-2026-2735

CVE-2026-2735 describes a Stored XSS in Alkacon’s OpenCms v18.0. The vulnerability occurs when user input is not properly validated in a POST request to /blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt using the text parameter. According to the record, the impact is limited to the vulnerab...

5.4CVSS5.5AI score0.00177EPSS
Web
CVE
CVE
added 2026/02/19 8:39 a.m.16 views

CVE-2026-2736

Alkacon OpenCms 18.0 is affected by CVE-2026-2736: a reflected XSS vulnerability exploitable by sending a user a malicious URL containing the q parameter in /search/index.html. The issue allows execution of JavaScript in the victim’s browser, enabling potential access to session cookies or action...

6.1CVSS5.8AI score0.00149EPSS
Web