CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11819
https://notcve.org/view.php?id=CVE-2019-11819
Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. Alkacon OpenCMS v10.5.4 y anteriores se ve afectado por la inyección CSV (también conocida como Excel Macro) en el módulo Nuevo Usuario (/opencms/system/workplace/admin/accounts/user_new.jsp) mediante el Nombre o Apellido. • https://github.com/alkacon/opencms-core/issues/636 https://www.openwall.com/lists/oss-security/2019/05/05/2 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11818
https://notcve.org/view.php?id=CVE-2019-11818
Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded. Alkacon OpenCMS versión 10.5.4 y anterior, se ve afectado por los cross site scripting (XSS) almacenados en el módulo New User (/opencms/system/workplace/admin/accounts/user_new.jsp). Esto permite que un atacante introducir JavaScript arbitrario como entrada del usuario (Nombre o Apellido), que será ejecutado siempre que se cargue el fragmento de código afectado. • https://github.com/alkacon/opencms-core/issues/635 https://www.openwall.com/lists/oss-security/2019/04/30/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 12EXPL: 2CVE-2013-4600 – OpenCMS 8.5.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-4600
Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms before 8.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to system/workplace/views/admin/admin-main.jsp or the (2) requestedResource parameter to system/login/index.html. Múltiples vulnerabilidades de cross-site scripting (XSS) en Alkacon OpenCms anterior a v8.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) “title” en system/workplace/views/admin/admin-main.jsp o en el parámetro (2) “requestedResource” en system/login/index.html OpenCMS version 8.5.1 suffers from a cross site scripting vulnerability. • http://archives.neohapsis.com/archives/bugtraq/2013-07/0113.html http://www.opencms.org/en/news/130710-opencms-v852-releasenotes.html https://github.com/alkacon/opencms-core/issues/173 https://www.htbridge.com/advisory/HTB23160 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 6EXPL: 2CVE-2006-3933
https://notcve.org/view.php?id=CVE-2006-3933
Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.2.2 allows remote authenticated users to inject arbitrary web script or HTML via the message body. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Alkacon OpenCms before 6.2.2 permite a atacantes remotos autenticados inyectar secuencias de comandos web o HTML de su elección mediante el cuerpo del mensaje. • http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt http://secunia.com/advisories/21193 http://securityreason.com/securityalert/1302 http://www.opencms.org/export/download/opencms/opencms_6.2.2_src.zip http://www.opencms.org/opencms/en/shownews.html?id=1002 http://www.securityfocus.com/archive/1/441182/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/28033 •
CVSS: 4.0EPSS: 0%CPEs: 6EXPL: 2CVE-2006-3934
https://notcve.org/view.php?id=CVE-2006-3934
Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter. Vulnerabilidad de cruce de ruta absoluta en downloadTrigger.jsp en Alkacon OpenCms anterior a 6.2.2 permite a usuarios remotos autenticados bajarse ficheros de su elección mediante un nombre de ruta absoluto en el parámetro filePath. • http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt http://secunia.com/advisories/21193 http://securityreason.com/securityalert/1302 http://www.opencms.org/export/download/opencms/opencms_6.2.2_src.zip http://www.opencms.org/opencms/en/shownews.html?id=1002 http://www.securityfocus.com/archive/1/441182/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/28000 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •