8 results (0.012 seconds)

CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 1

A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module. • https://github.com/alkacon/opencms-core/commit/21bfbeaf6b038e2c03bb421ce7f0933dd7a7633e https://github.com/alkacon/opencms-core/issues/652 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. En "OpenCMS", versiones 10.5.0 a 11.0.2, están afectadas por una vulnerabilidad de tipo XSS almacenado que permite a usuarios de aplicaciones poco privilegiado almacenar scripts maliciosos en la funcionalidad Sitemap. Estos scripts se ejecutan en el navegador de la víctima cuando ésta abre la página que contiene el campo vulnerable • https://github.com/alkacon/mercury-template/commit/800945f5d02346c633c7aef9f5d596d7dedc8fb5 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25968 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document. Una vulnerabilidad de tipo XML external entity (XXE) en Alkacon OpenCms versiones 11.0, 11.0.1 y 11.0.2, permite a usuarios remotos autenticados con privilegios de edición exfiltrar archivos del sistema de archivos del servidor al cargar un documento SVG diseñado • https://github.com/alkacon/opencms-core/issues/725 https://github.com/alkacon/opencms-core/releases • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface. En system/workplace/ en Alkacon OpenCms versiones 10.5.4 y 10.5.5, hay múltiples problemas de tipo XSS Reflejado y Almacenado en la interfaz de administración. Alkacon OpenCMS version 10.5.x suffers from a cross site scripting vulnerability in its site management functionality. • https://www.exploit-db.com/exploits/47339 http://packetstormsecurity.com/files/154283/Alkacon-OpenCMS-10.5.x-Cross-Site-Scripting.html https://aetsu.github.io/OpenCms https://github.com/alkacon/opencms-core/commits/branch_10_5_x https://twitter.com/aetsu/status/1152096227938459648 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2

Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. Alkacon OpenCMS v10.5.4 y anteriores se ve afectado por la inyección CSV (también conocida como Excel Macro) en el módulo Nuevo Usuario (/opencms/system/workplace/admin/accounts/user_new.jsp) mediante el Nombre o Apellido. • https://github.com/alkacon/opencms-core/issues/636 https://www.openwall.com/lists/oss-security/2019/05/05/2 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •