[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Cross Site Scripting | Alkacon OpenCMS v10.5.4 and before

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Cross Site Scripting | Alkacon OpenCMS v10.5.4 and before
From: Pramod Rana <varchashva@xxxxxxxxx>
Date: Wed, 8 May 2019 16:33:00 +0530

Description: OpenCMS v10.5.4 and before is vulnerable to cross site
scripting in New User module for parameter First Name and Last Name

Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Payload used in PoC is "TestXSS<img+src=x+onmouseover=alert(document.domain)

Further details is available here
https://github.com/alkacon/opencms-core/issues/635

Already requested for CVE, yet to receive it.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] dotCMS v5.1.1 HTML Injection & XSS Vulnerability
Next by Date: [FD] CSV Injection | Alkacon OpenCMS v10.5.4 and before
Previous by thread: Re: [FD] dotCMS v5.1.1 HTML Injection & XSS Vulnerability
Next by thread: [FD] CSV Injection | Alkacon OpenCMS v10.5.4 and before
Index(es):
- Date
- Thread