CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25968 – OpenCMS - Stored Cross-Site Scripting (XSS) in Sitemap
https://notcve.org/view.php?id=CVE-2021-25968
In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. En "OpenCMS", versiones 10.5.0 a 11.0.2, están afectadas por una vulnerabilidad de tipo XSS almacenado que permite a usuarios de aplicaciones poco privilegiado almacenar scripts maliciosos en la funcionalidad Sitemap. Estos scripts se ejecutan en el navegador de la víctima cuando ésta abre la página que contiene el campo vulnerable • https://github.com/alkacon/mercury-template/commit/800945f5d02346c633c7aef9f5d596d7dedc8fb5 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25968 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2019-13236 – Alkacon OpenCMS 10.5.x - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-13236
In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface. En system/workplace/ en Alkacon OpenCms versiones 10.5.4 y 10.5.5, hay múltiples problemas de tipo XSS Reflejado y Almacenado en la interfaz de administración. Alkacon OpenCMS version 10.5.x suffers from a cross site scripting vulnerability in its site management functionality. • https://www.exploit-db.com/exploits/47339 http://packetstormsecurity.com/files/154283/Alkacon-OpenCMS-10.5.x-Cross-Site-Scripting.html https://aetsu.github.io/OpenCms https://github.com/alkacon/opencms-core/commits/branch_10_5_x https://twitter.com/aetsu/status/1152096227938459648 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11819
https://notcve.org/view.php?id=CVE-2019-11819
Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. Alkacon OpenCMS v10.5.4 y anteriores se ve afectado por la inyección CSV (también conocida como Excel Macro) en el módulo Nuevo Usuario (/opencms/system/workplace/admin/accounts/user_new.jsp) mediante el Nombre o Apellido. • https://github.com/alkacon/opencms-core/issues/636 https://www.openwall.com/lists/oss-security/2019/05/05/2 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11818
https://notcve.org/view.php?id=CVE-2019-11818
Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded. Alkacon OpenCMS versión 10.5.4 y anterior, se ve afectado por los cross site scripting (XSS) almacenados en el módulo New User (/opencms/system/workplace/admin/accounts/user_new.jsp). Esto permite que un atacante introducir JavaScript arbitrario como entrada del usuario (Nombre o Apellido), que será ejecutado siempre que se cargue el fragmento de código afectado. • https://github.com/alkacon/opencms-core/issues/635 https://www.openwall.com/lists/oss-security/2019/04/30/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-8811 – OpenCMS 10.5.3 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-8811
Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows only registered users to upload different kind of content artifacts (SVG, .doc, .docx). The uploaded content is stored in the CMS content repository "as is". In case of scripts inside an SVG, this may or may not be "malicious", there is no way of knowing if the uploaded SVG contains the script for a reason. To exploit the "issue", a user must have an account in the CMS as a content manager ** EN DISPUTA ** Vulnerabilidad de Cross-Site Request Forgery (CSRF) en system/workplace/admin/accounts/user_role.jspen OpenCMS versión 10.5.3 permite a los atacantes remotos secuestrar la autenticación de los usuarios administrativos para peticiones que realizan una escalada de privilegios. • https://www.exploit-db.com/exploits/44391 https://github.com/alkacon/opencms-core/issues/586 • CWE-352: Cross-Site Request Forgery (CSRF) •