32 matches found
CVE-2024-41446
The CVE-2024-41446 entry concerns a stored XSS in Alkacon OpenCMS v17.0. The vulnerability affects the image parameter under the Create/Modify article function, allowing an attacker to inject arbitrary web scripts or HTML and potentially execute them in a victim’s browser. The provided technical ...
CVE-2019-13236
Alkacon OpenCms 10.5.4 and 10.5.5 are affected by multiple Reflected and Stored XSS vulnerabilities in the system/workplace/ management interface. Root cause is not explicitly detailed beyond XSS in the provided documents. The issues could allow execution of arbitrary scripts in authenticated use...
CVE-2021-3312
CVE-2021-3312 describes an XML External Entity (XXE) vulnerability in Alkacon OpenCms (11.0, 11.0.1, 11.0.2). The underlying issue allows remote authenticated users with edit privileges to exfiltrate files from the server’s filesystem by uploading a crafted SVG document. The vulnerability is tied...
CVE-2023-6379
Affected software: Alkacon Software Open CMS (Mercury template) v14–v15. Vulnerability: Cross-site scripting (XSS) via the Mercury template. Unauthenticated attackers can inject arbitrary JavaScript through multiple parameters on OpenCMS Mercury pages, potentially leading to session cookie theft ...
CVE-2024-41447
CVE-2024-41447 — Alkacon OpenCMS 17.0 stored XSS . A stored cross-site scripting flaw exists in the author parameter used in the Create/Modify article workflow, allowing an attacker to inject arbitrary web scripts/HTML. The vulnerability affects OpenCMS v17.0 and can be triggered by crafted paylo...
CVE-2024-5521
The CVE-2024-5521 entry describes stored Cross-Site Scripting in Alkacon OpenCMS 16 via SVG file uploads. The root cause is improper validation of .svg images, which, when uploaded by users with gallery editor or VFS resource manager roles, allows JavaScript in the SVG to execute when another use...
CVE-2018-8811
OpenCMS 10.5.3 is affected by a CSRF vulnerability in system/workplace/admin/accounts/user_role.jsp that can lead to privilege escalation by hijacking an admin session. Exploitation requires the attacker to have a CMS account with content-manager privileges; multiple public exploits (Exploit-DB, ...
CVE-2023-37602
CVE-2023-37602 affects Alkacon OpenCMS v15.0, specifically the /workplace#!explorer component. The Arbitrary file upload vulnerability allows an attacker to upload a crafted PNG to execute arbitrary code. The NVD entry reports a CVSS v3.1 base score of 6.1 (Medium) with Network access, Low attack...
CVE-2024-5520
OpenCMS 16 by Alkacon has two stored Cross-Site Scripting vulnerabilities affecting the title field that let users with sufficient privileges create/modify pages and execute malicious JavaScript when pages are viewed. The issue arises from insufficient input validation in the title field. Several...
CVE-2023-6380
CVE-2023-6380 : Open Redirect in Alkacon Software OpenCms. Affected: OpenCms 14–15 with the Mercury template. Root cause: lack of sanitization of the URI parameter enables an attacker to craft a link and lure a user to a malicious site, potentially facilitating phishing or malware distribution. I...
CVE-2005-4475
OpenCms 6.0.3 and earlier is affected by a Cross-site Scripting (XSS) vulnerability in unspecified search parameters. Root cause: improper handling of user-supplied search inputs leading to script/HTML injection. Impact (per provided data): partial confidentiality, integrity, and availability. No...
CVE-2018-8815
CVE-2018-8815 concerns Alkacon OpenCMS 10.5.3 where the gallery feature is vulnerable to cross-site scripting (XSS). A remote attacker can inject arbitrary web script or HTML by supplying a malicious SVG image, due to an underlying issue in the gallery function. The available sources confirm the ...
CVE-2024-42699
Summary: CVE-2024-42699 is a Cross-Site Scripting (XSS) vulnerability in Alkacon OpenCMS 17.0, exploitable via the Create/Modify article image field title sub-field. The root cause is insufficient input sanitization allowing an attacker to inject JavaScript that is stored and later reflected to u...
CVE-2006-3935
Alkacon OpenCms before 6.2.2 has improper access control in system/workplace/views/admin/admin-main.jsp, allowing remote authenticated users to perform six admin actions (broadcast messages, list users, add webusers, upload import/export files, upload modules, read the log file) by manipulating t...
CVE-2019-11818
CVE-2019-11818 affects Alkacon OpenCMS v10.5.4 and earlier. The stored XSS vulnerability resides in the New User module (opencms/system/workplace/admin/accounts/user_new.jsp), allowing attackers to inject arbitrary JavaScript via First Name or Last Name fields; the payload is executed when the af...
CVE-2023-31544
CVE-2023-31544 describes a stored Cross-site Scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 . The issue arises when a crafted payload is injected into the Title field in the Upload Image module , allowing an attacker to execute arbitrary web scripts or HTML in affected contexts. The C...
CVE-2006-2571
The CVE-2006-2571 entry refers to an XSS vulnerability in Alkacon OpenCms (versions 6.0.0, 6.0.2, 6.0.3) where arbitrary web script/HTML can be injected through the query parameter in a search action on search.html. This is triggered remotely via the vulnerable search feature, enabling script exe...
CVE-2006-3933
Alkacon OpenCms prior to 6.2.2 is affected by a Cross‑site Scripting (XSS) vulnerability: remote authenticated users can inject arbitrary web script or HTML via the message body. The vulnerability is documented under CVE-2006-3933 with OpenCms 6.2.2 as the referenced fixed/bellwether release in t...
CVE-2006-3936
Alkacon OpenCms is affected by a JSP source disclosure in system/workplace/editors/editor.jsp prior to version 6.2.2. The vulnerability allows an authenticated user to read the source code of arbitrary JSP files by supplying the file path via the resource parameter (demonstrated with index.jsp). ...
CVE-2008-1510
CVE-2008-1510 describes a Cross-site scripting (XSS) vulnerability in Alkacon OpenCMS 7.0.3, specifically in the page system/workplace/admin/accounts/users_list.jsp. An attacker can inject arbitrary script/HTML via the (1) searchfilter or (2) listSearchFilter parameters, potentially affecting use...
CVE-2006-3934
Affected software : Alkacon OpenCms prior to 6.2.2. Vulnerability : Absolute path traversal in downloadTrigger.jsp via the filePath parameter, allowing remote authenticated users to download arbitrary files. Root cause : improper handling/validation of absolute pathnames in filePath. Impact : pot...
CVE-2013-4600
OpenCms
CVE-2021-25968
OpenCMS versions 10.5.0–11.0.2 are affected by a stored XSS in the Sitemap functionality. Low-privileged application users can store malicious scripts, which execute in a victim’s browser when the vulnerable page is opened. Exploitation details or patches are not provided in the supplied documents.
CVE-2019-11819
CVE-2019-11819 affects Alkacon OpenCMS v10.5.4 and earlier. The vulnerability is a CSV (Excel Macro) Injection in the New User module (path: /opencms/system/workplace/admin/accounts/user_new.jsp) triggered via the First Name or Last Name fields. The connected documents confirm the same issue acro...
CVE-2008-1301
The CVE-2008-1301 entry concerns Alkacon OpenCms (versions 7.0.3 and 7.0.4). The vulnerability is an absolute path traversal in logfileViewSettings.jsp (path: system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp) that allows remote authenticated administrators to read arbitrary fi...
CVE-2015-2351
CVE-2015-2351 describes multiple XSS flaws in Alkacon OpenCms 9.5.1 and earlier caused by insufficient input filtering. Attackers can inject arbitrary script/HTML via five vectors: homelink in system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp; workplaceresource in system/workpl...
CVE-2005-4294
Alkacon OpenCms
CVE-2008-1045
Alkacon OpenCMS 7.0.3 contains a Cross-site Scripting (XSS) vulnerability in the file tree navigation function (system/workplace/views/explorer/tree_files.jsp). The issue allows remote attackers to inject arbitrary web script or HTML via the resource parameter. No other concrete details (such as ...
CVE-2008-1300
CVE-2008-1300 describes a cross-site scripting (XSS) vulnerability in Alkacon OpenCms, specifically in the Logfile Viewer Settings function (system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp) in OpenCms 7.0.3 and 7.0.4. The flaw allows remote attackers to inject arbitrary web s...
CVE-2008-1753
CVE-2008-1753 is an XSS vulnerability in Alkacon OpenCMS 7.0.3, specifically in system/workplace/admin/workplace/sessions.jsp where the searchfilter parameter is not properly sanitized. The issue (different vector from CVE-2008-1510) allows remote attackers to inject arbitrary script/HTML, as doc...
CVE-2026-2735
CVE-2026-2735 describes a Stored XSS in Alkacon’s OpenCms v18.0. The vulnerability occurs when user input is not properly validated in a POST request to /blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt using the text parameter. According to the record, the impact is limited to the vulnerab...
CVE-2026-2736
Alkacon OpenCms 18.0 is affected by CVE-2026-2736: a reflected XSS vulnerability exploitable by sending a user a malicious URL containing the q parameter in /search/index.html. The issue allows execution of JavaScript in the victim’s browser, enabling potential access to session cookies or action...